Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2024-4367 PoC — Mozilla Firefox 安全漏洞

Source
https://github.com/snyk-labs/pdfjs-vuln-demo
Associated Vulnerability
Title:Mozilla Firefox 安全漏洞 (CVE-2024-4367)
Description:Mozilla Firefox是美国Mozilla基金会的一款开源Web浏览器。 Mozilla Firefox 126 版本之前存在安全漏洞,该漏洞源于处理 PDF.js 中的字体时缺少类型检查,这将允许在 PDF.js 环境中执行任意 JavaScript。
Description
This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in CVE-2024-4367
Readme
# PDF.js Vulnerability Demo Project
This project is intended to serve as a proof of concept to demonstrate exploiting the vulnerability in the PDF.js (pdfjs-dist) library reported in [CVE-2024-4367](https://nvd.nist.gov/vuln/detail/CVE-2024-4367)

## Getting Things Running
- Fork and clone from this repository
- `npm install`
- `npm run dev`

## Testing Things Out
- First go to [http://localhost:4321/](http://localhost:4321/)
- Choose whichever frontend framework component you want to test out (react, vue, svelte) by clicking on its corresponding card
- Make sure the sample PDF (not exploiting the vulnerability) loads up
- You can find and analyze all the sample PDFs in the `/public` directory. Each one attempts to demonstrate different ways to exploit the vulnerability.
- When ready to test out a PDF that does exploit the vulnerability change the PDF file that the component is pointing to with the one you want to try

  For Example:
  ```javascript
  // src/components/ReactPdfViewer.jsx
  <Document
    file='/ex1.pdf'
    onLoadSuccess={onDocumentLoadSuccess}
    options={{}}>
  ```
File Snapshot

 [4.0K]  /data/pocs/359cf15d47f2ebaa1480ebfc1e026c241e1d1bc5
├── [ 259]  astro.config.mjs
├── [4.0K]  example-pdfs
│   ├── [ 26K]  CVE-2024-4367-v1.pdf
│   └── [ 20K]  CVE-2024-4367-v2.pdf
├── [ 694]  package.json
├── [204K]  package-lock.json
├── [4.0K]  public
│   ├── [ 26K]  ex1.pdf
│   ├── [ 26K]  ex-gist.pdf
│   ├── [ 26K]  ex-joke.pdf
│   ├── [ 26K]  ex-voice.pdf
│   ├── [ 749]  favicon.svg
│   ├── [524K]  sample.pdf
│   └── [ 26K]  testing.pdf
├── [1.1K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  components
│   │   ├── [1.1K]  Card.astro
│   │   ├── [ 977]  PDFViewer.jsx
│   │   ├── [ 611]  ReactPdfViewer.tsx
│   │   ├── [ 256]  SveltePdfViewer.svelte
│   │   └── [ 370]  VuePdfViewer.vue
│   ├── [  39]  env.d.ts
│   ├── [4.0K]  layouts
│   │   └── [ 960]  Layout.astro
│   └── [4.0K]  pages
│       ├── [1.9K]  index.astro
│       ├── [ 206]  react.astro
│       ├── [ 218]  svelte.astro
│       └── [ 200]  vue.astro
├── [ 101]  svelte.config.js
└── [ 123]  tsconfig.json

6 directories, 26 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.