Researchers have demonstrated a novel class of assaults that might enable a foul actor to doubtlessly circumvent present countermeasures and break the integrity safety of digitally signed PDF paperwork.
Known as “Shadow assaults” by lecturers from Ruhr-College Bochum, the method makes use of the “huge flexibility supplied by the PDF specification in order that shadow paperwork stay standard-compliant.”
The findings had been offered yesterday on the Community and Distributed System Safety Symposium (NDSS), with 16 of the 29 PDF viewers examined — together with Adobe Acrobat, Foxit Reader, Good PDF, and Okular — discovered weak to shadow assaults.
To hold out the assault, a malicious actor creates a PDF doc with two completely different contents: one which is the content material that is anticipated by the get together signing the doc, and the opposite, a bit of hidden content material that will get displayed as soon as the PDF is signed.
“The signers of the PDF obtain the doc, evaluation it, and signal it,” the researchers outlined. “The attackers use the signed doc, modify it barely, and ship it to the victims. After opening the signed PDF, the victims examine whether or not the digital signature was efficiently verified. Nonetheless, the victims see completely different content material than the signers.”
Within the analog world, the assault is equal to intentionally leaving empty areas in a paper doc and getting it signed by the involved get together, finally permitting the counterparty to insert arbitrary content material within the areas.
Shadow assaults construct upon the same menace devised by the researchers in February 2019, which discovered that it was doable to change an present signed doc with out invalidating its signature, thereby making it doable to forge a PDF doc.
Though distributors have since utilized safety measures to repair the difficulty, the brand new research goals to increase this assault mannequin to establish the likelihood that an adversary can modify the seen content material of a digitally signed PDF with out invalidating its signature, assuming that they will manipulate the PDF earlier than it is signed.
At its core, the assaults leverage “innocent” PDF options which don’t invalidate the signature, akin to “incremental replace” that permits for making modifications to a PDF (e.g., filling out a kind) and “interactive kinds” (e.g., textual content fields, radio buttons, and many others.) to cover the malicious content material behind seemingly innocuous overlay objects or immediately change the unique content material after it is signed.
A 3rd variant referred to as “disguise and change” can be utilized to mix the aforementioned strategies and modify the contents of a complete doc by merely altering the article references within the PDF.
“The attacker can construct an entire shadow doc influencing the presentation of every web page, and even the overall variety of pages, in addition to every object contained therein,” the researchers stated.
Put merely, the concept is to create a kind, which reveals the identical worth earlier than and after signing, however a totally completely different set of values put up an attacker’s manipulation.
To check the assaults, the researchers have revealed two new open-source instruments referred to as PDF-Attacker and PDF-Detector that can be utilized to generate shadow paperwork and take a look at a PDF for manipulation earlier than it is signed and after it has been altered.
The failings — tracked as CVE-2020-9592 and CVE-2020-9596 — have been since addressed by Adobe in an replace launched on Might 12, 2020. As of December 17, 2020, 11 of the 29 examined PDF functions stay unpatched.
This isn’t the primary time PDF safety has come underneath the lens. The researchers have beforehand demonstrated strategies to extract contents of a password-protected PDF file by benefiting from partial encryption supported natively by the PDF specification to remotely exfiltrate content material as soon as a person opens that doc.
Individually, the researchers final month uncovered one other set of 11 vulnerabilities impacting the PDF customary (CVE-2020-28352 via CVE-2020-28359, and from CVE-2020-28410 to CVE-2020-28412) that might result in denial-of-service, data disclosure, information manipulation assaults, and even arbitrary code execution.