This allows the “app.launchURL” method to execute a system call from a user-supplied string, with insufficient validation. It appears that app.launchURL takes URLs as arguments and does not check whether or not the argument is an actual URL. This will allow an attacker to simply execute arbitrary commands.
In CVE-2017-10592, ‘saveAs’ function call is used to drop a file to the local file system. Researcher used the ‘xfa.host.exportData’ function to achieve the same functionality. Provided PoC drops the .hta file into the startup folder so the attacker just has to wait for the victim to restart his system.
According to ZDI, both (ZDI-17-691 & ZDI-17-692) vulnerabilities can be exploited only if the application’s Safe Reading Mode is disabled. However it is interesting to see that researchers PoC was able to bypass the Safe Reading Mode.
On August 26, 2017, vendor has confirmed the vulnerabilities and patch has been released to fix these vulnerabilities. Please visit an advisory for more information. We recommended that customers scan their network with QID 370537 to detect vulnerable versions of Foxit Reader & PhantomPDF.