Cybersecurity researchers have disclosed two new assault strategies on licensed PDF paperwork that might probably allow an attacker to change a doc’s seen content material by displaying malicious content material over the certiﬁed content material with out invalidating its signature.
“The assault thought exploits the flexibleness of PDF certification, which permits signing or including annotations to licensed paperwork underneath completely different permission ranges,”researchers from Ruhr-College Bochum, who’ve the safety of the PDF specification over time.
The findings had been offered on the forty second IEEE Symposium on Safety and Privateness () held this week.
The 2 assaults — dubbed— hinge on manipulating the PDF certification course of by exploiting flaws within the specification that governs the implementation of digital signatures (aka approval signature) and its extra versatile variant known as certification signatures.
Certification signatures additionally enable completely different subsets of modifications on the PDF doc based mostly on the permission stage set by the certifier, together with the flexibility to jot down textual content to particular kind fields, present annotations, and even add a number of signatures.
The Evil Annotation Assault (EAA) works by modifying a certiﬁed doc that is provisioned to insert annotations to incorporate an annotation containing malicious code, which is then despatched to the sufferer. Alternatively, the concept behind the Sneaky Signature assault (SSA) is to control the looks by including overlaying signature parts to a doc that permits filling out kind fields.
“By inserting a signature discipline, the signer can outline the precise place of the sphere, and moreover its look and content material, the researchers mentioned. “This flexibility is critical since every new signature might comprise the signer’s data. The data generally is a graphic, a textual content, or a mix of each. However, the attacker can misuse the flexibleness to stealthily manipulate the doc and insert new content material.”
In a hypothetical assault situation detailed by the lecturers, a certifier creates an authorized contract with delicate data whereas enabling the choice so as to add additional signatures to the PDF contract. By making the most of these permissions, an attacker can modify the contents of the doc, say, to show an Worldwide Financial institution Account Quantity (IBAN) underneath their management and fraudulently switch funds, because the sufferer, unable to detect the manipulation, accepts the tampered contract.
15 of 26 PDF functions evaluated by the researchers, counting Adobe Acrobat Reader (and ), Foxit Reader ( ), and Nitro Professional, had been discovered susceptible to the EAA assault, enabling an attacker to vary the seen content material within the doc. Soda PDF Desktop, PDF Architect, and 6 different functions had been recognized as prone to SSA assaults.
To fend off such assaults, the researchers suggest prohibiting FreeText, Stamp, and Redact annotations in addition to guaranteeing that signature fields are arrange at outlined areas within the PDF doc previous to certification, alongside penalizing any subsequent addition of signature fields with an invalid certification standing. The researchers have additionally created a Python-based utility known as, which parses licensed paperwork to spotlight any suspicious parts discovered within the PDF doc.