CVE-2024-4367 is a critical vulnerability (CVSS 9.8) in PDF.js, allowing arbitrary JavaScript code execution due to insufficient type checks on the FontMatrix object within PDF files.
| CVE IDENTIFIER | CVE-2024-4367 |
|---|---|
| SEVERITY | Critical (CVSS Score: 9.8) |
| VULNERABILITY | Arbitrary JavaScript code execution in PDF.js due to insufficient type checks on FontMatrix object |
| EXPLOITATION | Maliciously crafted PDF files can execute JavaScript in the victim’s browser, leading to data theft, XSS, or RCE. |
-
Operating System:
- A Debian/Ubuntu-based Linux distribution or equivalent, with administrative privileges.
- Ensure Python 3.x is installed (
python3 --version).
-
Script Setup:
- Save the exploit script in a directory of your choice (e.g.,
~/cve-2024-4367/) with the filenamecve_2024_4367_exploit_wizard.py.
- Save the exploit script in a directory of your choice (e.g.,
-
Template PDF:
- Place a benign PDF file named
template.pdfin the same directory. This file will serve as the base for the malicious PDF.
- Place a benign PDF file named
-
Social Engineering Toolkit (SET):
- Install SET (Social Engineering Toolkit):
sudo apt-get update sudo apt-get install set - Verify installation with:
which setoolkit
- Install SET (Social Engineering Toolkit):
Grant executable permissions to the script:
chmod +x cve_2024_4367_exploit_wizard.pyRun the script using either method below:
./cve_2024_4367_exploit_wizard.pyor
python3 cve_2024_4367_exploit_wizard.pyThe script will guide you through the attack process step-by-step.
- The script automatically checks for:
- PyPDF2: Required for manipulating PDFs.
- SET: Used for phishing campaigns.
- Missing dependencies will be installed automatically (or prompt for manual installation).
- The script injects a JavaScript payload into the
/FontMatrixfield of thetemplate.pdf. - The output,
malicious.pdf, will be saved in the same directory. - Success or failure will be displayed.
- Add target emails (or identifiers) interactively.
- Type each target email one by one.
- Finalize the list by typing
done.
- The script integrates with SET to deliver the malicious PDF via phishing.
- Follow SET’s prompts to configure the campaign:
- Set up email templates.
- Attach
malicious.pdf.
- Exit SET to return to the wizard.
- The script launches an HTTP server at
http://localhost:8080. malicious.pdfis accessible for download.- Data exfiltrated by the payload (e.g.,
document.cookie) will be logged in the script’s console.
- Open
malicious.pdfin a vulnerable version of PDF.js or a sandboxed VM. - Monitor server logs to confirm payload execution and data exfiltration.
- Data (e.g., cookies) submitted by the payload will be logged as:
[+] Data exfiltrated: session_id=abcd1234; auth_token=xyz987
- Customize the payload for actions like keylogging or redirection.
- Test your environment’s ability to detect or mitigate these threats.
Terminate the HTTP server using Ctrl+C in the terminal.
- Delete or securely store
malicious.pdfto prevent accidental misuse. - Safely archive any logs or campaign data.
- If using a virtual machine, revert to a clean snapshot.
- Ensure no malicious artifacts remain on the system.
- This script and guide are intended for educational purposes and authorized penetration testing within controlled environments.
- Unauthorized use is illegal and may result in severe legal consequences.
- Always obtain explicit permission before conducting any exploit tests.
-
Update PDF.js:
- Ensure the latest version of PDF.js is installed to patch CVE-2024-4367.
-
Restrict JavaScript in PDFs:
- Disable JavaScript execution in PDF viewers whenever possible.
-
Implement Endpoint Protection:
- Use robust endpoint detection and response tools.
-
Educate Users:
- Train employees to recognize phishing attempts and avoid opening unverified PDFs.
By following this guide responsibly, you can effectively simulate real-world attack scenarios and bolster your cybersecurity defenses.