POC详情: 359cf15d47f2ebaa1480ebfc1e026c241e1d1bc5

来源
https://github.com/snyk-labs/pdfjs-vuln-demo
关联漏洞
标题: Mozilla Firefox 安全漏洞 (CVE-2024-4367)
描述:Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox 126 版本之前存在安全漏洞,该漏洞源于处理 PDF.js 中的字体时缺少类型检查,这将允许在 PDF.js 环境中执行任意 JavaScript。
描述
This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367
介绍
# PDF.js Vulnerability Demo Project
This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in [CVE-2024-4367](https://nvd.nist.gov/vuln/detail/CVE-2024-4367)

## Getting Things Running
- Fork and clone from this repository
- `npm install`
- `npm run dev`

## Testing Things Out
- First go to [http://localhost:4321/](http://localhost:4321/)
- Choose whichever frontend framework component you want to test out (react, vue, svelte) by clicking on its corresponding card
- Make sure the sample PDF (not exploiting the vulnerability) loads up
- You can find and analyze all the sample PDFs in the `/public` directory. Each one attempts to demonstrate different ways to exploit the vulnerability.
- When ready to test out a PDF that does exploit the vulnerability change the PDF file that the component is pointing to with the one you want to try

  For Example:
  ```javascript
  // src/components/ReactPdfViewer.jsx
  <Document
    file='/ex1.pdf'
    onLoadSuccess={onDocumentLoadSuccess}
    options={{}}>
  ```
文件快照

 [4.0K]  /data/pocs/359cf15d47f2ebaa1480ebfc1e026c241e1d1bc5
├── [ 259]  astro.config.mjs
├── [4.0K]  example-pdfs
│   ├── [ 26K]  CVE-2024-4367-v1.pdf
│   └── [ 20K]  CVE-2024-4367-v2.pdf
├── [ 694]  package.json
├── [204K]  package-lock.json
├── [4.0K]  public
│   ├── [ 26K]  ex1.pdf
│   ├── [ 26K]  ex-gist.pdf
│   ├── [ 26K]  ex-joke.pdf
│   ├── [ 26K]  ex-voice.pdf
│   ├── [ 749]  favicon.svg
│   ├── [524K]  sample.pdf
│   └── [ 26K]  testing.pdf
├── [1.1K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  components
│   │   ├── [1.1K]  Card.astro
│   │   ├── [ 977]  PDFViewer.jsx
│   │   ├── [ 611]  ReactPdfViewer.tsx
│   │   ├── [ 256]  SveltePdfViewer.svelte
│   │   └── [ 370]  VuePdfViewer.vue
│   ├── [  39]  env.d.ts
│   ├── [4.0K]  layouts
│   │   └── [ 960]  Layout.astro
│   └── [4.0K]  pages
│       ├── [1.9K]  index.astro
│       ├── [ 206]  react.astro
│       ├── [ 218]  svelte.astro
│       └── [ 200]  vue.astro
├── [ 101]  svelte.config.js
└── [ 123]  tsconfig.json

6 directories, 26 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。