*
Alba 🌸 :v_pat:

arbitrary code execution in PDF.js.

a malicious PDF can execute arbitrary JS as soon as it's opened in Firefox.

codeanlabs.com/blog/research/c

1+
*
Alba 🌸 :v_pat:

how do you fuck up so bad as to allow arbitrary code execution? what was the justification for using eval() for glyph rendering

1+
Alba 🌸 :v_pat:

2024 may not be the year of Linux on the desktop, but it sure is the year of XSS via malicious glyphs on a PDF

1
Alba 🌸 :v_pat:

right, so the justification for using eval() was doing some kind of JIT on the glyph commands. and the code that generated the compiled JS did some very poor validation of the parsed JS objects it used.

1
Alba 🌸 :v_pat:

I'm going to put
// eslint-disable-next-line no-new-func
high up on the shelf until y'all learn how to use it

1
Alba 🌸 :v_pat:

it is a bit outrageous honestly. all this effort on the JS runner to make sure PDF.js is safe, and then someone just... pastes an arbitrary string into a JS function that is going to be eval'ed :blobcatmeltcry:

1
Alba 🌸 :v_pat:

and this bug has been present since PDF.js was released in 2014 :blobcatmeltcry:

except for a 1-year period because someone made a typo that disabled the bug.

security is a joke.

1
Alba 🌸 :v_pat:

so, to be crystal clear: those of you who use Firefox could've had arbitrary JS executed for the last decade, with a very reliable and VERY easy to exploit bug.

now my question is, what could an attacker have done with it? what are the permissions in which the Firefox PDF viewer's JS is executed?

1+
shork
Follow

@mildsunrise doesn't that just make a malicious pdf as insecure as a malicious website (which can already execute arbitrary js)

· · Web · 1 · 1 · 1
Alba 🌸 :v_pat:

@noiob the PDF viewer (for a downloaded file) isn't executed in the context of a website, since it is a file:// URL. logic tells me it should be able to access arbitrary files in your computer and maybe also requests to a (possibly malicious, exfiltration target) server

1+
Alba 🌸 :v_pat:

@noiob but I haven't really looked so I could be wrong, maybe they apply special restrictions on the file: origin (or a CSP)

or on the other hand, maybe they give the code special permissions since it is part of the browser's core

1
Alba 🌸 :v_pat:

@ugackMiner @noiob thanks, that's a relief

0
John

@mildsunrise @noiob my interpretation of the docs is that JS from file origin can't read arbitrary other files in a modern browser today. However, it's implementation defined so 🤷‍♂️

developer.mozilla.org/en-US/do

How universally true that is, and when it became the expectation, I don't know.

1
Alba 🌸 :v_pat:

@jpab @noiob that's certainly a relief, we'll see if it holds up to expectations or not.

I now see that PDF.js is also used in Thunderbird, so I wonder which context is the JS executed there in...

0
Sign in to participate in the conversation
Awoo Space

Awoo.space is a Mastodon instance where members can rely on a team of moderators to help resolve conflict, and limits federation with other instances using a specific access list to minimize abuse.

While mature content is allowed here, we strongly believe in being able to choose to engage with content on your own terms, so please make sure to put mature and potentially sensitive content behind the CW feature with enough description that people know what it's about.

Before signing up, please read our community guidelines. While it's a very broad swath of topics it covers, please do your best! We believe that as long as you're putting forth genuine effort to limit harm you might cause – even if you haven't read the document – you'll be okay!

Trending now

Resources

Developers

What is Mastodon?

awoo.space

  • v3.5.3+glitch

More…

v3.5.3+glitch · Privacy policy