Researchers Show 2 New Hacks to Modify Licensed PDF Paperwork


Cybersecurity researchers have disclosed two new assault strategies on licensed PDF paperwork that would probably allow an attacker to change a doc’s seen content material by displaying malicious content material over the certified content material with out invalidating its signature.

“The assault thought exploits the flexibleness of PDF certification, which permits signing or including annotations to licensed paperwork below totally different permission ranges,” said researchers from Ruhr-College Bochum, who’ve systematically analyzed the safety of the PDF specification through the years.

The findings have been introduced on the forty second IEEE Symposium on Safety and Privateness (IEEE S&P 2021) held this week.

The 2 assaults — dubbed Evil Annotation and Sneaky Signature attacks — hinge on manipulating the PDF certification course of by exploiting flaws within the specification that governs the implementation of digital signatures (aka approval signature) and its extra versatile variant known as certification signatures.

password auditor

Certification signatures additionally permit totally different subsets of modifications on the PDF doc based mostly on the permission degree set by the certifier, together with the power to put in writing textual content to particular type fields, present annotations, and even add a number of signatures.

The Evil Annotation Assault (EAA) works by modifying a certified doc that is provisioned to insert annotations to incorporate an annotation containing malicious code, which is then despatched to the sufferer. Alternatively, the concept behind the Sneaky Signature assault (SSA) is to govern the looks by including overlaying signature components to a doc that permits filling out type fields.

“By inserting a signature subject, the signer can outline the precise place of the sphere, and moreover its look and content material, the researchers stated. “This flexibility is important since every new signature may comprise the signer’s data. The data could be a graphic, a textual content, or a mix of each. Nonetheless, the attacker can misuse the flexibleness to stealthily manipulate the doc and insert new content material.”

In a hypothetical assault situation detailed by the lecturers, a certifier creates an authorized contract with delicate data whereas enabling the choice so as to add additional signatures to the PDF contract. By benefiting from these permissions, an attacker can modify the contents of the doc, say, to show an Worldwide Financial institution Account Quantity (IBAN) below their management and fraudulently switch funds, because the sufferer, unable to detect the manipulation, accepts the tampered contract.

15 of 26 PDF functions evaluated by the researchers, counting Adobe Acrobat Reader (CVE-2021-28545 and CVE-2021-28546), Foxit Reader (CVE-2020-35931), and Nitro Professional, have been discovered weak to the EAA assault, enabling an attacker to vary the seen content material within the doc. Soda PDF Desktop, PDF Architect, and 6 different functions have been recognized as vulnerable to SSA assaults.

Extra troublingly, the examine revealed that it is potential to execute high-privileged JavaScript code — e.g., redirect the consumer to a malicious web site — in Adobe Acrobat Professional and Reader by sneaking such code through EAA and SSA as an incremental replace to the licensed doc. The weak point (CVE-2020-24432) was addressed by Adobe as a part of its Patch Tuesday replace for November 2020.

To fend off such assaults, the researchers suggest prohibiting FreeText, Stamp, and Redact annotations in addition to making certain that signature fields are arrange at outlined areas within the PDF doc previous to certification, alongside penalizing any subsequent addition of signature fields with an invalid certification standing. The researchers have additionally created a Python-based utility known as PDF-Detector, which parses licensed paperwork to focus on any suspicious components discovered within the PDF doc.

“Though neither EAA nor SSA can change the content material itself – it all the time stays within the PDF – annotations and signature fields can be utilized as an overlay so as to add new content material,” the researchers stated. “Victims opening the PDF are unable to tell apart these additions from common content material. And even worse: annotations can embed excessive privileged JavaScript code that’s allowed to be added to sure licensed paperwork.”

Discovered this text attention-grabbing? Comply with THN on Facebook, Twitter and LinkedIn to learn extra unique content material we submit.


Source link