Friday, November 15, 2024
HomeVulnerabilityResearchers Uncovered 2 New Hacking Method to Break the Certified PDF Docs

Researchers Uncovered 2 New Hacking Method to Break the Certified PDF Docs

Published on

The cybersecurity researchers at the Ruhr University Bochum, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institute for IT-Security have recently discovered two new exploits to break the Certified PDF documents.

By exploiting these two flaws a hacker can easily and secretly modify the content of documents with Certification Signatures.

In total, the security experts have analyzed 26 PDF applications, and among them, they have detected 24 applications vulnerable to these two security flaws.

- Advertisement - SIEM as a Service

Hacking Methods to Break the Certified PDF Docs

The analysts explained that there is two types of digital signatures are assigned in the PDF specification and here they are:-

  • One is “Approval Signatures,” which are used to prove the status of a specific document. As a document can have different signatures, but any changes to the document will cause the signature to be invalid.
  • While the other one is the “Certification Signatures,” and it provides a more flexible digital signature file. Although it can only have one certification signature, as it allows the file owner to list the document items that can be changed, such as filling in specific fields, commenting on the document, or adding a new approval seal.

This made researchers interlocked in the security of the certification seal and carried out a systematic analysis of the change function of the certified file. 

And in this point, they found that the specification contained two security vulnerabilities, and here they are mentioned below:- 

  • Evil Annotation Attack (EAA).
  • Sneaky Signature Attack (SSA).

Whether it is an EAA vulnerability or SSA vulnerability, it can change the presentation of the content in the certified document, while retaining the validity of the certification stamp, without incurring any warnings. 

Among the 26 PDF applications tested, there are 24 apps that contain at least one of these security flaws. 

In addition, the researchers also analyzed whether these 26 programs comply with the PDF specifications in allowing annotations and signatures, and found that 11 programs did not comply with the requirements.

User Interface (UI) Layers

  • UI-Layer 1: Top Bar Validation Status.
  • UI-Layer 2: Detailed Validation and Information.
  • UI-Layer 3: PDF Annotations.

Evil Annotation Attack (EAA)

In a certified document by exploiting the annotations EAA shows the arbitrary content. Apart from this, the EAA eradicates the probity of the certification, because the P3 certified document allows adding annotations.

The security analysts have categorized all the annotations as per their danger level and abilities in EAA. While in the danger section of annotations, the experts have detected a total of three annotations that are:- 

  • Redact
  • FreeText
  • Stamp

Apart from these, there are some annotations that are categorized as per their low or none ability, and these annotations are limited in numbers. However, in this attack, the threat actors present all legitimate documents that easily allow them for inserting and annotations, but all these documents contain malicious links and content.

Not only this the analysts have also detected a bypass, that the PDF viewers easily detect the annotations by their specified Subtype. And this Subtype was used by different viewers as an editing tool, if the value of Subtype is missing or if it is symbolizing as a set to an unspecified value then the PDF viewer is not capable to detect this annotation.

Sneaky Signature Attack (SSA)

The main motive of SSA is to exploit the form and features of arbitrary content in the PDF. It operates by including the overlaying signature of all the details of the annotation to a PDF document, and all documents are certified at the P2 level with the features of signing the documents and filling out the forms.

However, in SSA the level of danger is quite low, and all the value of these attacks was saved or stored in the fields. Once the attackers signed a self-signed certificate for SSA, then they are ready for the SSA attacks.

According to the experts, after opening the files, if the victims find any suspicious documents they simply refuse the document, though if the certification is legitimate.

On the other hand, Adobe also contains an additional vulnerability that allows hackers to execute JavaScript code in authenticated documents, posing the risk of code injection attacks.

During their analysis, the researchers have evaluated all the 26 PDF apps, and among them, 15 apps are vulnerable to EAA and SSA attacks.

Here the Adobe Acrobat Reader with CVE-2021-28545 and CVE-2021-28546, Foxit Reader with CVE-2020-35931, and Nitro Pro are vulnerable to EAA attack. While other apps like Soda PDF Desktop, PDF Architect, and six others are vulnerable to SSA attacks.

Apart from this, currently, Adobe, Foxit, and LibreOffice have already patched all the related vulnerabilities, and researchers are also working jointly with the global standards organization to develop a new generation of PDF specifications to fix the defects of existing specifications.

We have already reported earlier about similar attacks that bypassing the signature validation in PDF. Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Chinese SilkSpecter Hackers Attacking Black Friday Shoppers

SilkSpecter, a Chinese financially motivated threat actor, launched a sophisticated phishing campaign targeting e-commerce...

Cybercriminals Launch SEO Poisoning Attack to Lure Shoppers to Fake Online Stores

The research revealed how threat actors exploit SEO poisoning to redirect unsuspecting users to...

Black Basta Ransomware Leveraging Social Engineering For Malware Deployment

Black Basta, a prominent ransomware group, has rapidly gained notoriety since its emergence in...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

Critical TP-Link DHCP Vulnerability Let Attackers Execute Arbitrary Code Remotely

A critical security flaw has been uncovered in certain TP-Link routers, potentially allowing malicious...

Critical Laravel Vulnerability CVE-2024-52301 Allows Unauthorized Access

CVE-2024-52301 is a critical vulnerability identified in Laravel, a widely used PHP framework for...

4M+ WordPress Websites to Attacks, Following Plugin Vulnerability

A critical vulnerability has been discovered in the popular "Really Simple Security" WordPress plugin,...