Attackers Abuse Signed PDF Files

A security issue in the certification signatures of PDF documents has been discovered by researchers at Ruhr-University Bochum. The Portable Document Format (PDF) is the defacto standard for document exchange.

PDF signatures are a well-established protection mechanism to guarantee the integrity, authenticity, and non-repudiation of a PDF document.

Types of PDF Signatures

Approval Signatures

Testify a specific document state. The specification allows the usage of multiple signatures on the same document. Any other change on a signed document leads to an invalidation of the approval signature or warnings in most PDF viewers.

Certification Signatures

During the document’s certification, the owner defines a list of allowed modifications that do not invalidate the document’s certification signature. These allowed modifications can be a subset of the following actions: writing text to specific form fields (even without signing the document), providing annotations to the document, or adding approval signatures.

Attackers Abuse Signed PDF Files

In an attack scenario, the certifier creates a certified contract with sensitive information which cannot be exchanged. The certifier allows specific changes to the PDF contract, for example, further signatures.

Attack Scenario

Using these permitted changes, the attacker can change the amount from $100 to $100,000 and display the IBAN of his account. Therefore, the victim cannot detect the manipulation and thus accepts the modified contract.

Price Manipulated

Unlike a normal PDF signature, the certification signature permits certain changes to be made in the document after it has been signed. This is necessary to allow the second contractual party to also sign the document.

How Dangerous are Permitted Changes in Certified Documents?

Two new vulnerabilities abusing flaws in the PDF specification: Evil Annotation Attack (EAA) and Sneaky Signature Attack (SSA).

These vulnerabilities allow an attacker to change the visible content of a PDF document by displaying malicious content over the certified content. Yet, the certification remains valid and the application shows no warnings.

The IT security experts tested 26 PDF applications, in 24 of which they were able to break the certification with at least one of the attacks. In 11 of 26 applications, a permission mismatch exists.

Malicious Code can be Implanted into Adobe Documents

The team also discovered a weakness specifically in Adobe products. Certified Adobe documents can execute JavaScript code, such as accessing URLs to verify the identity of a user.

The researchers showed that attackers could use this mechanism to implant malicious code into a certified document. This makes it possible, for instance, for a user’s privacy to be exposed by sending his IP address and information about the PDF applications used by an attacker when the document is opened.

Final Word

Even though neither EAA nor SSA can change the content itself – it always remains in the PDF –annotations and signature fields can be used as an overlay to add new content.

Victims opening the PDF are unable to distinguish these additions from regular content. And even worse: annotations can embed high privileged JavaScript code that is allowed to be added to certain certified documents.

“The research community has struggled with similar problems on other data formats, such as XML or Email, without finding a satisfying solution so far. In the case of PDF, the specification must be updated to address these issues”, Researchers concluded.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.