A security issue in the certification signatures of PDF documents has been discovered by researchers at Ruhr-University Bochum. The Portable Document Format (PDF) is the defacto standard for document exchange.
PDF signatures are a well-established protection mechanism to guarantee the integrity, authenticity, and non-repudiation of a PDF document.
Types of PDF Signatures
Testify a specific document state. The specification allows the usage of multiple signatures on the same document. Any other change on a signed document leads to an invalidation of the approval signature or warnings in most PDF viewers.
During the document’s certification, the owner defines a list of allowed modifications that do not invalidate the document’s certification signature. These allowed modifications can be a subset of the following actions: writing text to specific form fields (even without signing the document), providing annotations to the document, or adding approval signatures.
Attackers Abuse Signed PDF Files
In an attack scenario, the certifier creates a certified contract with sensitive information which cannot be exchanged. The certifier allows specific changes to the PDF contract, for example, further signatures.
Using these permitted changes, the attacker can change the amount from $100 to $100,000 and display the IBAN of his account. Therefore, the victim cannot detect the manipulation and thus accepts the modified contract.
Unlike a normal PDF signature, the certification signature permits certain changes to be made in the document after it has been signed. This is necessary to allow the second contractual party to also sign the document.
How Dangerous are Permitted Changes in Certified Documents?
Two new vulnerabilities abusing flaws in the PDF specification: Evil Annotation Attack (EAA) and Sneaky Signature Attack (SSA).
These vulnerabilities allow an attacker to change the visible content of a PDF document by displaying malicious content over the certified content. Yet, the certification remains valid and the application shows no warnings.
The IT security experts tested 26 PDF applications, in 24 of which they were able to break the certification with at least one of the attacks. In 11 of 26 applications, a permission mismatch exists.
Malicious Code can be Implanted into Adobe Documents
The researchers showed that attackers could use this mechanism to implant malicious code into a certified document. This makes it possible, for instance, for a user’s privacy to be exposed by sending his IP address and information about the PDF applications used by an attacker when the document is opened.
Even though neither EAA nor SSA can change the content itself – it always remains in the PDF –annotations and signature fields can be used as an overlay to add new content.
“The research community has struggled with similar problems on other data formats, such as XML or Email, without finding a satisfying solution so far. In the case of PDF, the specification must be updated to address these issues”, Researchers concluded.