CVE-2023-33240
📋 TL;DR
This vulnerability allows unprivileged local users to escalate their privileges to SYSTEM level on Windows systems. It affects Foxit PDF Reader and Editor installations when installed to non-default directories. Attackers can exploit this by accessing an executable file of a system service that has improper permissions.
💻 Affected Systems
- Foxit PDF Reader
- Foxit PDF Editor
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Local attacker gains full SYSTEM privileges, enabling complete system compromise, data theft, persistence mechanisms, and lateral movement capabilities.
Likely Case
Local user with limited privileges escalates to administrative rights, potentially installing malware, accessing sensitive files, or bypassing security controls.
If Mitigated
With proper directory permissions and user access controls, exploitation would be prevented or significantly limited.
🎯 Exploit Status
Requires local access and non-default installation path. Exploitation involves accessing misconfigured service executable.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Foxit PDF Reader/Editor 12.1.2
Vendor Advisory: https://www.foxit.com/support/security-bulletins.html
Restart Required: Yes
Instructions:
1. Download Foxit PDF Reader/Editor 12.1.2 or later from official Foxit website. 2. Run installer with administrative privileges. 3. Follow installation prompts. 4. Restart system after installation completes.
🔧 Temporary Workarounds
Change installation directory permissions
windowsModify ACLs on Foxit installation directory to restrict access to authorized users only
icacls "C:\Path\To\Foxit\Installation" /inheritance:r /grant:r "Administrators:(OI)(CI)F" /grant:r "SYSTEM:(OI)(CI)F" /grant:r "Users:(OI)(CI)RX"
Reinstall to default directory
windowsUninstall Foxit and reinstall to default C:\Program Files\Foxit Software\ directory
🧯 If You Can't Patch
- Restrict local user access to systems with vulnerable Foxit installations
- Implement strict directory permissions on Foxit installation folders
🔍 How to Verify
Check if Vulnerable:
Check Foxit version via Help > About. If version is 12.1.1.15289 or earlier for Reader, or within affected ranges for Editor, and installed to non-default directory, system is vulnerable.Check Version:
wmic product where "name like '%Foxit%'" get versionVerify Fix Applied:
Verify Foxit version is 12.1.2 or later via Help > About. Check installation directory is properly secured with restricted permissions.📡 Detection & Monitoring
Log Indicators:
- Windows Event Logs showing unauthorized access attempts to Foxit service executables
- Security logs showing privilege escalation attempts
Network Indicators:
- No network indicators - this is a local privilege escalation vulnerability
SIEM Query:
EventID=4688 AND (NewProcessName contains 'foxit' OR ParentProcessName contains 'foxit') AND SubjectUserName != 'SYSTEM'