Researchers have demonstrated a novel class of assaults that would permit a foul actor to doubtlessly circumvent present countermeasures and break the integrity safety of digitally signed PDF paperwork.
Known as “Shadow attacks” by lecturers from Ruhr-College Bochum, the approach makes use of the “monumental flexibility supplied by the PDF specification in order that shadow paperwork stay standard-compliant.”
The findings have been offered yesterday on the Community and Distributed System Safety Symposium (NDSS), with 16 of the 29 PDF viewers examined — together with Adobe Acrobat, Foxit Reader, Excellent PDF, and Okular — discovered susceptible to shadow assaults.
To hold out the assault, a malicious actor creates a PDF doc with two completely different contents: one which is the content material that is anticipated by the celebration signing the doc, and the opposite, a bit of hidden content material that will get displayed as soon as the PDF is signed.
“The signers of the PDF obtain the doc, evaluate it, and signal it,” the researchers outlined. “The attackers use the signed doc, modify it barely, and ship it to the victims. After opening the signed PDF, the victims test whether or not the digital signature was efficiently verified. Nevertheless, the victims see completely different content material than the signers.”
Within the analog world, the assault is equal to intentionally leaving empty areas in a paper doc and getting it signed by the involved celebration, finally permitting the counterparty to insert arbitrary content material within the areas.
Shadow assaults construct upon the same risk devised by the researchers in February 2019, which discovered that it was doable to change an present signed doc with out invalidating its signature, thereby making it doable to forge a PDF doc.
Though distributors have since utilized safety measures to repair the difficulty, the brand new examine goals to increase this assault mannequin to determine the chance that an adversary can modify the seen content material of a digitally signed PDF with out invalidating its signature, assuming that they’ll manipulate the PDF earlier than it is signed.
At its core, the assaults leverage “innocent” PDF options which don’t invalidate the signature, corresponding to “incremental replace” that enables for making modifications to a PDF (e.g., filling out a kind) and “interactive varieties” (e.g., textual content fields, radio buttons, and many others.) to cover the malicious content material behind seemingly innocuous overlay objects or instantly substitute the unique content material after it is signed.
A 3rd variant known as “hide and replace” can be utilized to mix the aforementioned strategies and modify the contents of a complete doc by merely altering the article references within the PDF.
“The attacker can construct a whole shadow doc influencing the presentation of every web page, and even the whole variety of pages, in addition to every object contained therein,” the researchers stated.
Put merely, the thought is to create a kind, which reveals the identical worth earlier than and after signing, however a totally completely different set of values submit an attacker’s manipulation.
To check the assaults, the researchers have published two new open-source instruments known as PDF-Attacker and PDF-Detector that can be utilized to generate shadow paperwork and take a look at a PDF for manipulation earlier than it is signed and after it has been altered.
The failings — tracked as CVE-2020-9592 and CVE-2020-9596 — have been since addressed by Adobe in an update launched on Might 12, 2020. As of December 17, 2020, 11 of the 29 examined PDF purposes stay unpatched.
This isn’t the primary time PDF safety has come underneath the lens. The researchers have previously demonstrated strategies to extract contents of a password-protected PDF file by benefiting from partial encryption supported natively by the PDF specification to remotely exfiltrate content material as soon as a consumer opens that doc.
Individually, the researchers final month uncovered one other set of 11 vulnerabilities impacting the PDF commonplace (CVE-2020-28352 by means of CVE-2020-28359, and from CVE-2020-28410 to CVE-2020-28412) that would result in denial-of-service, info disclosure, knowledge manipulation assaults, and even arbitrary code execution.