It is possible to bypass security in PDF viewers to change signed documents, researchers said.
“We analyzed signature validation processing on PDF files,” , said Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe, and Jorg Schwenk, researchers at Ruhr-University Bochum in Germany in a paper. “We present three novel attack classes: Universal Signature Forgery (USF), Incremental Saving Attack (ISA), and Signature Wrapping Attack (SWA). Each attack allows an attacker to stealthily manipulate the content of a signed PDF without invalidating the signature, thereby breaking the document integrity protection.”
Govt., Private Sector Need to Unite on Cyber: Report
Safety, Security, Privacy in Interconnected World
DDoS Attacks, Fewer in Quantity, More Sophisticated
Russia, China can Disrupt Critical Infrastructure
“We successfully applied the attacks on 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit,” the researchers said.
PDF signatures, which rely on cryptographic operations, are widely used by organizations around the world to ensure their documents are protected against unauthorized modifications.
The Ruhr-University Bochum researchers proved an unauthorized user could leverage various techniques to make changes to a PDF document without invalidating its signature.
In an USF attack, the main idea is to disable the verification by providing invalid content within the signature object or removing the references to the signature object. Thus, despite the fact that the signature object is provided, the validation logic is not able to apply the correct cryptographic operations, the researchers said. Nevertheless, it could be possible that a viewer shows some signature information although the verification is being skipped.
The ISA attack relies on the incremental saving feature. The idea of the attack is to make an incremental saving on the document by redefining the document’s structure and content using the Body Updates part, the researchers said. The digital signature within the PDF file protects exactly the part of the file defined in the ByteRange. Since the incremental saving appends the Body Updates to the end of the file, it is not part of the defined ByteRange and thus not part of the signature’s integrity protection. The signature remains valid, while the Body Updates changed the displayed content.
SWA attack introduces a novel technique to bypass the signature protection without using incremental saving, the researchers said. The main idea is to move the second part of the signed ByteRange to the end of the document while reusing the xref pointer within the signed Trailer to an attacker manipulated Xref table. To avoid any processing of the relocated second part, it can be optionally wrapped by using a stream object or a dictionary.
Click here to download the paper.