SumatraPDF Untrusted Search Path Vulnerability Leading to Arbitrary Code Execution

A vulnerability in SumatraPDF versions prior to 3.5.2 allows for arbitrary code execution by exploiting the application's handling of file paths. When a user opens a PDF and selects 'Show in folder', SumatraPDF executes a malicious binary named 'explorer.exe' located in the same directory as the PDF, instead of the legitimate Windows file explorer. This behavior occurs without any warning or additional user interaction, executing the malicious code with the current user's privileges.

Impact

Exploitation of this vulnerability allows for local arbitrary code execution through binary hijacking. Any user who opens a PDF from a directory containing a malicious 'explorer.exe' is affected. This could enable an attacker to execute malware or perform other actions on the victim's system under the user's account.

Reproduction

To reproduce this vulnerability, create a malicious executable named 'explorer.exe' that launches the legitimate file explorer along with the calculator application. Place this executable in the same directory as a crafted PDF file. Open the PDF file in SumatraPDF, then select 'File' followed by 'Show in folder'. The malicious 'explorer.exe' will be executed instead of the normal file explorer.