Shadow assault lets attackers remodel content material in digitally signed PDFs

Researchers have demonstrated a novel class of assaults that might permit a nasty actor to doubtlessly circumvent current countermeasures and break the integrity protections of digitally signed PDF paperwork.

Referred to as a “shadow assault” by teachers from the Ruhr-College Bochum, the approach “makes use of the large flexibility offered by the PDF specification in order that shadow paperwork stay standards-compliant.”

The findings, offered yesterday on the Community and Distributed Techniques Safety Symposium (NDSS), discovered 16 out of 29 PDF viewers examined — together with Adobe Acrobat, Foxit Reader, Good PDF and Okular — have been weak to shadow assaults. Went.

To hold out the assault, a malicious actor creates a PDF doc with two completely different contents: one that’s anticipated by the get together signing the doc, and the opposite, a bit of hidden content material that seems on the PDF. Shows after signing.

“The signers of the PDF obtain the doc, assessment it, and signal it,” underlined the researchers. “The attackers use the signed doc, modify it barely, and ship it to the victims. After opening the signed PDF, the victims verify whether or not the digital signature was efficiently verified. Nonetheless, the victims are in comparison with the signers. Totally different content material seems.”

Cyber ​​security

Within the analog world, the assault is the equal of deliberately leaving clean house in a paper doc and signed by the get together involved, ultimately permitting the counterparty to insert arbitrary content material into the clean.

Shadow assaults construct on the same risk posed by researchers in February 2019, which discovered that it was attainable to change an current signed doc with out invalidating its signature, making it attainable to create a PDF doc.

Though distributors have applied safety measures to repair the difficulty, the brand new examine goals to broaden this assault mannequin to discover the chance that an adversary can digitally signal with out invalidating their signature. Can modify the visible content material of the PDF, assuming they’ll manipulate the PDF. earlier than signing.

At its core, the assaults reap the benefits of “innocent” PDF options that don’t invalidate the signature, reminiscent of “incremental updates” that permit modifications to be made to the PDF (for instance, filling out a kind) and “interactive types”. (for instance, textual content fields, radio buttons, and many others.) to cover malicious content material behind seemingly innocuous overlay objects or to exchange the unique content material instantly after it has been signed.

A 3rd variant known as “Conceal and Change” can be utilized to mix the above strategies and modify the contents of your complete doc by altering the article references within the PDF.

“The attacker may create an entire shadow doc affecting the presentation of every web page, and even the overall variety of pages, in addition to every merchandise contained in it,” the researchers stated.

Cyber ​​security

Merely put, the thought is to create a kind that exhibits the identical worth earlier than and after it’s signed, however a very completely different set of values ​​after an attacker manipulates it.

To check the assaults, researchers have revealed two new open-source instruments known as PDF-Attacker and PDF-Detector that can be utilized to generate shadow paperwork and take a look at PDFs for manipulation earlier than signing and after changing it. might be finished for.

The flaw – tracked as CVE-2020-9592 and CVE-2020-9596 – has since been addressed by Adobe in an replace launched on Might 12, 2020. As of December 17, 2020, 11 out of 29 examined PDF functions are unpublished.

This is not the primary time PDF has come beneath the safety lens. Researchers have beforehand demonstrated strategies for extracting the contents of a password-protected PDF file by profiting from partial encryption initially supported by the PDF specification to remotely extract the contents after a consumer has opened that doc.

Individually, researchers final month uncovered one other set of 11 vulnerabilities affecting the PDF normal (CVE-2020-28352 to CVE-2020-28359, and CVE-2020-28410 to CVE-2020-28412), which might be denied. -Providers, info disclosure, information manipulation assaults, and even arbitrary code execution.

Supply hyperlink