CVE-2022-24955 Overview
CVE-2022-24955 is an Uncontrolled Search Path Element vulnerability (CWE-427) affecting Foxit PDF Reader and Foxit PDF Editor on Windows systems. This vulnerability allows attackers to exploit improper DLL loading behavior, potentially leading to arbitrary code execution when a user opens a malicious PDF file or when the application loads from a directory containing a malicious DLL.
The vulnerability exists because Foxit PDF Reader and PDF Editor do not properly validate the search path when loading Dynamic Link Libraries (DLLs). An attacker can place a malicious DLL in a location that is searched before the legitimate DLL path, causing the application to load and execute the attacker-controlled code with the privileges of the user running the application.
Critical Impact
This DLL hijacking vulnerability can enable remote attackers to achieve arbitrary code execution with user-level privileges, potentially leading to complete system compromise on affected Windows systems.
Affected Products
- Foxit PDF Reader versions before 11.2.1
- Foxit PDF Editor versions before 11.2.1
- Microsoft Windows (as the underlying platform)
Discovery Timeline
- 2022-02-11 - CVE-2022-24955 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-24955
Vulnerability Analysis
This vulnerability falls under CWE-427 (Uncontrolled Search Path Element), a class of weaknesses where an application searches for critical resources using an externally-influenced search path that could point to resources outside the intended control sphere. In the context of Windows applications, this typically manifests as DLL hijacking or DLL search order hijacking.
When Foxit PDF Reader or PDF Editor launches, the Windows operating system follows a specific search order to locate required DLL files. If the application does not explicitly specify the full path to required DLLs or does not properly configure the DLL search order, Windows will search through multiple directories including the current working directory, user-controlled paths, and the system PATH environment variable.
This vulnerability can be exploited remotely through network-based attack vectors. An attacker could craft a malicious PDF document that, when opened, causes the application to load a DLL from an attacker-controlled location. Alternatively, the attacker could trick a user into opening Foxit PDF Reader from a network share or download folder containing a malicious DLL.
Root Cause
The root cause of CVE-2022-24955 is the failure of Foxit PDF Reader and PDF Editor to properly constrain the DLL search path during application initialization or when loading dependent libraries at runtime. The application relies on the default Windows DLL search order without implementing proper security controls such as:
- Using fully qualified paths when loading DLLs
- Calling SetDllDirectory("") to remove the current working directory from the search path
- Implementing DLL signature verification before loading
- Using the LOAD_LIBRARY_SEARCH_SYSTEM32 flag when calling LoadLibrary
Attack Vector
The attack vector for this vulnerability is network-based, requiring no privileges or user interaction in certain scenarios. An attacker can exploit this vulnerability through several methods:
Scenario 1: Network Share Attack
An attacker places a malicious DLL alongside a legitimate PDF file on a network share. When a victim navigates to the share and opens the PDF file with Foxit PDF Reader, the application loads the malicious DLL from the current working directory (the network share).
Scenario 2: Download Directory Attack
An attacker distributes a ZIP archive containing both a PDF file and a malicious DLL. When the victim extracts the contents and opens the PDF, the malicious DLL is loaded from the extraction directory.
Scenario 3: Embedded Resource Attack
The attacker embeds references within a PDF document that trigger the loading of a DLL, exploiting the vulnerable search path behavior to load a malicious library.
The vulnerability allows for complete system compromise once exploited, as the attacker's code executes with the same privileges as the Foxit application, typically the current user's privileges.
Detection Methods for CVE-2022-24955
Indicators of Compromise
- Unexpected DLL files appearing in user download directories or alongside PDF documents
- DLL files with legitimate Windows or Foxit library names located in non-standard directories
- Process creation events showing Foxit PDF Reader loading DLLs from user-writable locations such as %TEMP%, %USERPROFILE%\Downloads, or network shares
- Suspicious network connections originating from Foxit PDF Reader or PDF Editor processes
Detection Strategies
- Monitor for DLL loads by FoxitPDFReader.exe or FoxitPDFEditor.exe from directories outside %ProgramFiles% or %ProgramFiles(x86)%
- Implement YARA rules to detect common DLL hijacking payloads in directories where PDF files are stored
- Deploy application whitelisting policies that prevent execution of unsigned DLLs from user-writable directories
- Utilize endpoint detection and response (EDR) solutions to alert on anomalous DLL loading behavior
Monitoring Recommendations
- Enable Windows Sysmon with configuration rules for DLL load events (Event ID 7) filtering for Foxit processes
- Configure SentinelOne Deep Visibility to track process and module load events for PDF reader applications
- Implement file integrity monitoring on Foxit installation directories to detect unauthorized modifications
- Review Security Event logs for process creation events with suspicious working directories
How to Mitigate CVE-2022-24955
Immediate Actions Required
- Update Foxit PDF Reader to version 11.2.1 or later immediately
- Update Foxit PDF Editor to version 11.2.1 or later immediately
- Restrict users from opening PDF files directly from network shares or download directories until patches are applied
- Enable application control policies to prevent loading of unsigned DLLs
Patch Information
Foxit has released security updates addressing this vulnerability in version 11.2.1 of both PDF Reader and PDF Editor. Organizations should obtain the latest versions from the official Foxit download portal. For detailed information about this security update and other vulnerabilities addressed, refer to the Foxit Security Bulletins.
The patched versions implement proper DLL search path controls that prevent the loading of DLLs from untrusted locations. Organizations should prioritize deployment of these updates, especially on systems where users frequently interact with PDF documents from external sources.
Workarounds
- Configure Windows Defender Application Control (WDAC) or AppLocker policies to block DLL execution from user-writable directories
- Implement network segmentation to prevent access to network shares containing potentially malicious content
- Train users to copy PDF files to a clean, dedicated directory before opening them rather than opening directly from downloads or network locations
- Consider using alternative PDF readers in high-risk environments until patches can be deployed
# Configuration example
# PowerShell: Block DLL loads from user directories via Software Restriction Policy
# Create a path rule to prevent execution from common attack vectors
# Check current Foxit PDF Reader version
Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*Foxit*PDF*" } |
Select-Object DisplayName, DisplayVersion
# Recommended: Set CWDIllegalInDllSearch registry key to mitigate DLL hijacking
# Value of 1 removes current directory from DLL search path for processes
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Session Manager" -Name "CWDIllegalInDllSearch" -Value 1 -Type DWord
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
