Tuesday, December 3, 2024
HomeVulnerabilityResearchers Uncovered 2 New Hacking Method to Break the Certified PDF Docs

Researchers Uncovered 2 New Hacking Method to Break the Certified PDF Docs

Published on

SIEM as a Service

The cybersecurity researchers at the Ruhr University Bochum, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institute for IT-Security have recently discovered two new exploits to break the Certified PDF documents.

By exploiting these two flaws a hacker can easily and secretly modify the content of documents with Certification Signatures.

In total, the security experts have analyzed 26 PDF applications, and among them, they have detected 24 applications vulnerable to these two security flaws.

- Advertisement - SIEM as a Service

Hacking Methods to Break the Certified PDF Docs

The analysts explained that there is two types of digital signatures are assigned in the PDF specification and here they are:-

  • One is “Approval Signatures,” which are used to prove the status of a specific document. As a document can have different signatures, but any changes to the document will cause the signature to be invalid.
  • While the other one is the “Certification Signatures,” and it provides a more flexible digital signature file. Although it can only have one certification signature, as it allows the file owner to list the document items that can be changed, such as filling in specific fields, commenting on the document, or adding a new approval seal.

This made researchers interlocked in the security of the certification seal and carried out a systematic analysis of the change function of the certified file. 

And in this point, they found that the specification contained two security vulnerabilities, and here they are mentioned below:- 

  • Evil Annotation Attack (EAA).
  • Sneaky Signature Attack (SSA).

Whether it is an EAA vulnerability or SSA vulnerability, it can change the presentation of the content in the certified document, while retaining the validity of the certification stamp, without incurring any warnings. 

Among the 26 PDF applications tested, there are 24 apps that contain at least one of these security flaws. 

In addition, the researchers also analyzed whether these 26 programs comply with the PDF specifications in allowing annotations and signatures, and found that 11 programs did not comply with the requirements.

User Interface (UI) Layers

  • UI-Layer 1: Top Bar Validation Status.
  • UI-Layer 2: Detailed Validation and Information.
  • UI-Layer 3: PDF Annotations.

Evil Annotation Attack (EAA)

In a certified document by exploiting the annotations EAA shows the arbitrary content. Apart from this, the EAA eradicates the probity of the certification, because the P3 certified document allows adding annotations.

The security analysts have categorized all the annotations as per their danger level and abilities in EAA. While in the danger section of annotations, the experts have detected a total of three annotations that are:- 

  • Redact
  • FreeText
  • Stamp

Apart from these, there are some annotations that are categorized as per their low or none ability, and these annotations are limited in numbers. However, in this attack, the threat actors present all legitimate documents that easily allow them for inserting and annotations, but all these documents contain malicious links and content.

Not only this the analysts have also detected a bypass, that the PDF viewers easily detect the annotations by their specified Subtype. And this Subtype was used by different viewers as an editing tool, if the value of Subtype is missing or if it is symbolizing as a set to an unspecified value then the PDF viewer is not capable to detect this annotation.

Sneaky Signature Attack (SSA)

The main motive of SSA is to exploit the form and features of arbitrary content in the PDF. It operates by including the overlaying signature of all the details of the annotation to a PDF document, and all documents are certified at the P2 level with the features of signing the documents and filling out the forms.

However, in SSA the level of danger is quite low, and all the value of these attacks was saved or stored in the fields. Once the attackers signed a self-signed certificate for SSA, then they are ready for the SSA attacks.

According to the experts, after opening the files, if the victims find any suspicious documents they simply refuse the document, though if the certification is legitimate.

On the other hand, Adobe also contains an additional vulnerability that allows hackers to execute JavaScript code in authenticated documents, posing the risk of code injection attacks.

During their analysis, the researchers have evaluated all the 26 PDF apps, and among them, 15 apps are vulnerable to EAA and SSA attacks.

Here the Adobe Acrobat Reader with CVE-2021-28545 and CVE-2021-28546, Foxit Reader with CVE-2020-35931, and Nitro Pro are vulnerable to EAA attack. While other apps like Soda PDF Desktop, PDF Architect, and six others are vulnerable to SSA attacks.

Apart from this, currently, Adobe, Foxit, and LibreOffice have already patched all the related vulnerabilities, and researchers are also working jointly with the global standards organization to develop a new generation of PDF specifications to fix the defects of existing specifications.

We have already reported earlier about similar attacks that bypassing the signature validation in PDF. Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.

Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Latest articles

PEFT-As-An-Attack, Jailbreaking Language Models For Malicious Prompts

Federated Parameter-Efficient Fine-Tuning (FedPEFT) is a technique that combines parameter-efficient fine-tuning (PEFT) with federated...

Hackers Cloning Websites, Exploiting RCE Flaws To Gain Access To Shopping Platforms

Cybercriminals are leveraging AI-powered phishing attacks, website cloning tools, and RCE exploits to target...

Hackers Exploited Windows Event Logs Tool log Manipulation, And Data Exfiltration

wevtutil.exe, a Windows Event Log management tool, can be abused for LOLBAS attacks. By...

Threat Actors Allegedly Claims Breach of EazyDiner Reservation Platform

Reports have emerged of a potential data breach involving EazyDiner, a leading restaurant reservation...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Salesforce Applications Vulnerability Could Allow Full Account Takeover

A critical vulnerability has been discovered in Salesforce applications that could potentially allow a...

TP-Link HomeShield Function Vulnerability Let Attackers Inject Malicious Commands

A significant vulnerability has been identified in TP-Link's HomeShield function, affecting a range of...

HPE IceWall Flaw Let Attackers cause Unauthorized Data Modification

Hewlett Packard Enterprise (HPE) has issued an urgent security bulletin addressing a critical vulnerability...