SumatraPDF Arbitrary Code Execution Vulnerability via Insecure Update Mechanism

A vulnerability in SumatraPDF versions 3.5.0 through 3.5.2 allows for arbitrary code execution by exploiting the application's update mechanism. The issue arises because TLS hostname verification is disabled, allowing a network attacker with a valid TLS certificate to intercept update requests, inject malicious installer URLs, and execute arbitrary code. This vulnerability affects all users with auto-update enabled or who manually check for updates.

Impact

Exploitation of this vulnerability leads to arbitrary code execution on the affected system, with the executed code running under the current user's privileges.

Reproduction

To reproduce this vulnerability, first obtain a valid TLS certificate from a trusted Certificate Authority, such as Let's Encrypt. Then, intercept the update check request from SumatraPDF using a tool like mitmproxy, which can manipulate HTTPS traffic. After injecting a malicious URL for a Windows executable into the update response, SumatraPDF will download and execute the injected file without any security checks, resulting in arbitrary code execution.

Remediation

Users can disable the automatic update feature in SumatraPDF to mitigate this vulnerability. However, a permanent fix would require the developers to address the TLS validation issue and implement proper URL and installer signature verifications.