来源

关联漏洞

描述

CVE-2024-4367

介绍

# 🚨 CVE-2024-4367: Arbitrary JavaScript Execution in PDF.js

This project demonstrates and analyzes **CVE-2024-4367**, a high-severity vulnerability in Mozilla’s PDF.js library that allows arbitrary JavaScript execution through improper type checking in font handling code. Our research shows how a maliciously crafted PDF can execute JavaScript in contexts like Electron apps, potentially escalating to remote code execution.

🔗 **GitHub Repository**: [Hacking-pdf.js-vulnerability](https://github.com/Bhavyakcwestern/Hacking-pdf.js-vulnerability)

---

## 📖 Project Overview

- **CVE ID**: CVE-2024-4367  
- **Severity**: High (CVSS v3.1 Score: 8.8)  
- **Affected Software**  
  - PDF.js < 4.2.67  
  - Mozilla Firefox < 126  
  - Firefox ESR < 115.11  
  - Thunderbird < 115.11  
- **Exploit**: Arbitrary JavaScript execution via unsanitized `fontMatrix` in embedded fonts.  
- **Proof of Concept (PoC)**: PDFs `ex1.pdf` and `ex-gist.pdf` show alerts or remote-script execution.

---

## 📂 Repository Contents

- `src/components/ReactPdfViewer.tsx` – React viewer built with react-pdf 5.7.2 (bundles vulnerable pdfjs-dist 2.16.105)  
- `ex1.pdf` – malicious PDF triggering an alert  
- `ex-gist.pdf` – malicious PDF that fetches & executes remote JS  
- `CVE-2024-4367_Report_Hacking_Project.pdf` – full technical report and exploit analysis  

---

## ⚠️ Vulnerability Details

PDF.js’s `fontMatrix` array elements were improperly validated—accepting strings injected directly into JavaScript compiled with `new Function(...)`. This allows attackers to craft malicious font data, causing arbitrary code execution when `eval`-like operations are permitted.

Example vulnerable code path:

```js
fontMatrix = ["alert('XSS')", 0, 0, 1, 0, 0]; // Injected payload
// Results in compiled function like:
function drawGlyph() {
  transform("alert('XSS')", 0, 0, 1, 0, 0); // Unsafe execution
}
```

---

## 🛡️ Mitigation Strategies for CVE-2024-4367

To mitigate this vulnerability and protect applications embedding PDF.js (or libraries that bundle it), adopt the following measures:

### ✅ Upgrade Dependencies
- Upgrade **PDF.js** to **v 4.2.67** (or later) which patches the type-checking flaw.  
- If using wrappers (e.g., **react-pdf**), confirm they ship **pdfjs-dist ≥ 4.2.67**.

### ✅ Disable Dynamic Compilation
- Set **`isEvalSupported = false`** in PDF.js to turn off dynamic `Function` compilation.

### ✅ Enforce Type Checking
- Add explicit `typeof` checks on all user-supplied values (e.g., the `fontMatrix` array).

### ✅ Sanitize Input
- Reject or sanitize any non-numeric input where numbers are expected.

### ✅ Use Dependency Monitoring Tools
- Integrate **Snyk** (or similar) into CI/CD to scan dependencies automatically.  
- Keep `package.json`/`yarn.lock` up-to-date and auto-apply security patches.

### ✅ Keep Browsers & Runtimes Updated
- Run patched versions:  
  - **Firefox ≥ 126**  
  - **Firefox ESR ≥ 115.11**  
  - **Thunderbird ≥ 115.11**  
- Update Electron runtimes so they bundle a secure PDF.js build.

### ✅ Apply Security Headers
Add a strict **Content-Security-Policy**:

```http
Content-Security-Policy: script-src 'self'; object-src 'none';

文件快照

 [4.0K]  /data/pocs/b80d9c0e8e9d18ad46e96a15fb7ae266c53edd49
├── [ 259]  astro.config.mjs
├── [701K]  CVE-2024-4367_Report_Hacking_Project.pdf
├── [4.0K]  example-pdfs
│   └── [ 26K]  CVE-2024-4367-v1.pdf
├── [ 724]  package.json
├── [303K]  package-lock.json
├── [4.0K]  public
│   ├── [1.7M]  Assignment1_bhavya.pdf
│   ├── [ 26K]  ex1.pdf
│   ├── [ 26K]  ex-gist.pdf
│   ├── [ 26K]  ex-joke.pdf
│   ├── [ 26K]  ex-voice.pdf
│   ├── [ 749]  favicon.svg
│   ├── [524K]  sample.pdf
│   └── [ 26K]  testing.pdf
├── [3.2K]  README.md
├── [4.0K]  src
│   ├── [4.0K]  components
│   │   ├── [1.1K]  Card.astro
│   │   ├── [ 977]  PDFViewer.jsx
│   │   ├── [ 792]  ReactPdfViewer.tsx
│   │   ├── [ 256]  SveltePdfViewer.svelte
│   │   └── [ 370]  VuePdfViewer.vue
│   ├── [  85]  env.d.ts
│   ├── [4.0K]  layouts
│   │   └── [ 960]  Layout.astro
│   └── [4.0K]  pages
│       ├── [1.9K]  index.astro
│       ├── [ 206]  react.astro
│       ├── [ 218]  svelte.astro
│       └── [ 200]  vue.astro
├── [ 101]  svelte.config.js
└── [ 123]  tsconfig.json

6 directories, 27 files

备注