Disclaimer: This write-up is for educational purposes only. Do not attempt to exploit vulnerabilities on machines you do not own or have permission to test.


PDF readers are everywhere, used by people and businesses daily — which makes them a juicy target for attackers. In version 12..1.12430 of Foxit Software’s PDF Reader, a dangerous vulnerability was discovered within its JavaScript engine: CVE-2022-38097, a use-after-free bug. Let’s walk through what this is, how it works, and what an attacker could do.

What Is CVE-2022-38097?

CVE-2022-38097 is a use-after-free vulnerability. In simpler terms, it’s a bug where the software frees (deletes) a piece of memory, but then later tries to use it again. If an attacker can control what gets put in that old memory spot, they can make the program do things its creator never intended — like running malicious code.

In this case, the flaw exists in Foxit PDF Reader’s JavaScript engine. PDF files can contain chunks of JavaScript, running inside Foxit for interactive features. If a PDF is crafted in a certain way, it can trigger the premature destruction of an annotation object — basically, a note or interactive field inside the document. When Foxit tries to use that destroyed object later, it ends up accessing unpredictable data.

If an attacker manipulates this “freed” memory the right way, they can take control and run any commands they want on the victim’s computer. It only takes getting someone to open a malicious PDF, or even just visit a website if Foxit’s browser plugin is enabled.

The Process, Simplified

1. Create a Malicious PDF: The attacker crafts a PDF with special JavaScript that creates and immediately destroys an annotation object.
2. Trigger Use-After-Free: The code forces the program to use the destroyed object, accessing freed memory.
3. Control the Memory: The attacker fills the freed spot with custom data (like a pointer to malicious code).
4. Execute Arbitrary Code: When Foxit accesses the annotation, it runs the attacker’s code instead.

Here’s a simplified, illustrative JavaScript example that would live inside a PDF file

// Step 1: Create a new annotation (e.g., a form field).
var ann = this.addAnnot({
    page: ,
    type: "Text",
    rect: [100,100,200,200],
    author: "attacker"
});

// Step 2: Destroy the annotation object.
ann.destroy();

// Step 3: Allocate spray objects to fill freed memory
var arr = [];
for (var i = ; i < 10000; i++) {
    arr.push({ spray: "AAAA" });
}

// Step 4: Trigger use-after-free by referencing the destroyed annotation.
try {
    ann.setProps({content: "exploited!"});
} catch (e) {
    // Error thrown because memory is now bad, but in real exploit, code would execute
    console.log("Crashed or code executed.");
}

Note: Real-world attacks use memory “spraying” to fill freed space with executable code. The example above is simplified to explain the concept, not for actual exploitation.

Attack Scenarios

- Email Attachments: You get a PDF in your inbox. You open it with Foxit Reader. Bam — attacker’s code runs.
- Web Exploits: With the Foxit browser extension enabled, even just visiting a malicious site with an embedded PDF can trigger the exploit.
- Drive-By Downloads: Download any infected file from the web, open it with Foxit Reader, and your PC could be at risk.

References & Resources

- NIST National Vulnerability Database Entry for CVE-2022-38097
- Foxit PDF Reader Security Bulletins
- Exploit-DB: Use After Free - Annotating the Danger in PDF Readers (example search)

How To Stay Safe

- Update Foxit PDF Reader: Always use the latest version. Bugs like this are patched quickly once revealed. Get the newest here.
- Disable JavaScript in PDFs: This blocks attacks using PDF-embedded scripts. Go to Preferences > JavaScript and uncheck “Enable JavaScript Actions.”

Summary

CVE-2022-38097 is a serious reminder of how something as simple as opening a document can get you hacked. A use-after-free bug in Foxit Reader’s JavaScript engine lets attackers take over, and it’s easy to exploit—just trick a user into opening a file. Always keep your software up-to-date and be wary of unsolicited files. For power users and researchers, understanding these bugs is critical to staying one step ahead.

Timeline

Published on: 11/21/2022 16:15:00 UTC
Last modified on: 11/22/2022 19:00:00 UTC