CVE-2018-20312
📋 TL;DR
This vulnerability in Foxit Reader and PhantomPDF involves a race condition in the proxyDoAction function that can lead to stack-based buffer overflow or out-of-bounds read. Attackers could exploit this to execute arbitrary code or cause denial of service. Users of affected Foxit software versions are at risk.
💻 Affected Systems
- Foxit Reader
- Foxit PhantomPDF
📦 What is this software?
Phantompdf by Foxitsoftware
Phantompdf by Foxitsoftware
Reader by Foxitsoftware
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/administrator privileges leading to complete system compromise
Likely Case
Application crash (denial of service) or limited information disclosure via memory reads
If Mitigated
Application crash with no privilege escalation if sandboxing/ASLR works properly
🎯 Exploit Status
Requires user to open malicious PDF. Race condition exploitation adds complexity but public PoCs exist.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Foxit Reader 9.5+, PhantomPDF 8.3.10+ or 9.5+
Vendor Advisory: https://www.foxitsoftware.com/support/security-bulletins.php
Restart Required: Yes
Instructions:
1. Download latest version from Foxit website. 2. Run installer. 3. Restart system. 4. Verify version is 9.5 or higher for Reader, 8.3.10+ or 9.5+ for PhantomPDF.
🔧 Temporary Workarounds
Disable JavaScript in Foxit
allPrevents exploitation via JavaScript-triggered race conditions
Open Foxit > File > Preferences > JavaScript > Uncheck 'Enable JavaScript'
Use alternative PDF reader
allTemporarily switch to non-vulnerable PDF software
🧯 If You Can't Patch
- Implement application whitelisting to block Foxit Reader/PhantomPDF execution
- Deploy network segmentation to isolate PDF processing systems
🔍 How to Verify
Check if Vulnerable:
Check Foxit version via Help > About. If Reader version < 9.5 or PhantomPDF version < 8.3.10 (for 8.x) or < 9.5 (for 9.x), system is vulnerable.Check Version:
On Windows: wmic product where name like "Foxit%" get versionVerify Fix Applied:
Verify version is Reader 9.5+ or PhantomPDF 8.3.10+ (8.x) or 9.5+ (9.x). Test with known safe PDF files.📡 Detection & Monitoring
Log Indicators:
- Application crashes of Foxit processes
- Unusual child process spawning from Foxit
- Memory access violation errors in Windows Event Logs
Network Indicators:
- Downloads of PDF files from suspicious sources
- Outbound connections from Foxit processes
SIEM Query:
process_name:"FoxitReader.exe" AND (event_id:1000 OR event_id:1001) OR process_parent_name:"FoxitReader.exe" AND process_name NOT IN ("explorer.exe", "svchost.exe")