An issue was discovered in Foxit Reader before 10.1.1 (and before 4.1.1 on macOS) and PhantomPDF before 9.7.5 and 10.x before 10.1.1 (and before 4.1.1 on macOS). An attacker can spoof a certified PDF document via an Evil Annotation Attack because the products fail to consider a null value for a Subtype entry of the Annotation dictionary, in an incremental update.
Foxit Reader and PhantomPDF are vulnerable to a critical vulnerability allowing attackers to forge digitally signed PDF documents. This flaw, stemming from improper handling of annotation subtypes in incremental updates, enables malicious actors to inject arbitrary content, potentially leading to code execution or information theft. Successful exploitation could compromise sensitive data and systems.
Step 1: Payload Creation: The attacker crafts a malicious PDF document. This document includes a valid digital signature to appear legitimate. The attacker then adds an incremental update containing a specially crafted annotation dictionary. This dictionary has a null value for the Subtype entry.
Step 2: Document Delivery: The attacker delivers the malicious PDF to the victim, typically via email, a malicious website, or a shared network drive. The document is designed to appear trustworthy due to the valid digital signature.
Step 3: Vulnerability Trigger: The victim opens the malicious PDF in a vulnerable version of Foxit Reader or PhantomPDF.
Step 4: Parsing and Exploitation: The software parses the incremental update. Due to the missing validation of the Subtype entry, the software misinterprets the annotation. The attacker's injected content is then processed as a legitimate part of the document. This could involve the execution of malicious JavaScript, the display of misleading information, or the extraction of sensitive data, depending on the crafted payload.
The vulnerability lies in the way Foxit Reader and PhantomPDF handle incremental updates to PDF documents, specifically concerning the processing of annotation dictionaries. The software fails to properly validate the Subtype entry within an annotation dictionary during an incremental update. A crafted PDF can be created with a null Subtype value, which the vulnerable software then misinterprets. This allows an attacker to inject malicious content disguised as a legitimate annotation, effectively spoofing a digitally signed document. The root cause is a lack of robust input validation, leading to a type confusion or a logic error where the software doesn't correctly handle a null value in a critical data structure. This can lead to unexpected behavior, including the execution of attacker-controlled code or the disclosure of sensitive information. The vulnerability is triggered during the parsing of the incremental update, allowing the attacker to bypass security checks associated with the original document's signature.