Researchers have demonstrated a novel class of assaults that would enable a foul actor to probably circumvent current countermeasures and break the integrity safety of digitally signed PDF paperwork.
Referred to as “Shadow attacks” by lecturers from Ruhr-College Bochum, the approach makes use of the “monumental flexibility offered by the PDF specification in order that shadow paperwork stay standard-compliant.”
The findings have been offered yesterday on the Community and Distributed System Safety Symposium (NDSS), with 16 of the 29 PDF viewers examined — together with Adobe Acrobat, Foxit Reader, Excellent PDF, and Okular — discovered susceptible to shadow assaults.
To hold out the assault, a malicious actor creates a PDF doc with two completely different contents: one which is the content material that is anticipated by the get together signing the doc, and the opposite, a bit of hidden content material that will get displayed as soon as the PDF is signed.
“The signers of the PDF obtain the doc, evaluate it, and signal it,” the researchers outlined. “The attackers use the signed doc, modify it barely, and ship it to the victims. After opening the signed PDF, the victims test whether or not the digital signature was efficiently verified. Nevertheless, the victims see completely different content material than the signers.”
Within the analog world, the assault is equal to intentionally leaving empty areas in a paper doc and getting it signed by the involved get together, in the end permitting the counterparty to insert arbitrary content material within the areas.
Shadow assaults construct upon an identical menace devised by the researchers in February 2019, which discovered that it was doable to change an current signed doc with out invalidating its signature, thereby making it doable to forge a PDF doc.
Though distributors have since utilized safety measures to repair the difficulty, the brand new research goals to increase this assault mannequin to establish the likelihood that an adversary can modify the seen content material of a digitally signed PDF with out invalidating its signature, assuming that they’ll manipulate the PDF earlier than it is signed.
At its core, the assaults leverage “innocent” PDF options which don’t invalidate the signature, equivalent to “incremental replace” that permits for making adjustments to a PDF (e.g., filling out a kind) and “interactive types” (e.g., textual content fields, radio buttons, and many others.) to cover the malicious content material behind seemingly innocuous overlay objects or instantly exchange the unique content material after it is signed.
A 3rd variant referred to as “hide and replace” can be utilized to mix the aforementioned strategies and modify the contents of a complete doc by merely altering the thing references within the PDF.
“The attacker can construct an entire shadow doc influencing the presentation of every web page, and even the whole variety of pages, in addition to every object contained therein,” the researchers stated.
Put merely, the thought is to create a kind, which exhibits the identical worth earlier than and after signing, however a totally completely different set of values submit an attacker’s manipulation.
To check the assaults, the researchers have published two new open-source instruments referred to as PDF-Attacker and PDF-Detector that can be utilized to generate shadow paperwork and check a PDF for manipulation earlier than it is signed and after it has been altered.
The failings — tracked as CVE-2020-9592 and CVE-2020-9596 — have been since addressed by Adobe in an update launched on Might 12, 2020. As of December 17, 2020, 11 of the 29 examined PDF functions stay unpatched.
This isn’t the primary time PDF safety has come below the lens. The researchers have previously demonstrated strategies to extract contents of a password-protected PDF file by profiting from partial encryption supported natively by the PDF specification to remotely exfiltrate content material as soon as a person opens that doc.
Individually, the researchers final month uncovered one other set of 11 vulnerabilities impacting the PDF normal (CVE-2020-28352 via CVE-2020-28359, and from CVE-2020-28410 to CVE-2020-28412) that would result in denial-of-service, data disclosure, information manipulation assaults, and even arbitrary code execution.