Friday, December 1, 2023

Researchers Uncovered 2 New Hacking Method to Break the Certified PDF Docs

The cybersecurity researchers at the Ruhr University Bochum, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institute for IT-Security have recently discovered two new exploits to break the Certified PDF documents.

By exploiting these two flaws a hacker can easily and secretly modify the content of documents with Certification Signatures.

In total, the security experts have analyzed 26 PDF applications, and among them, they have detected 24 applications vulnerable to these two security flaws.

Hacking Methods to Break the Certified PDF Docs

The analysts explained that there is two types of digital signatures are assigned in the PDF specification and here they are:-

  • One is “Approval Signatures,” which are used to prove the status of a specific document. As a document can have different signatures, but any changes to the document will cause the signature to be invalid.
  • While the other one is the “Certification Signatures,” and it provides a more flexible digital signature file. Although it can only have one certification signature, as it allows the file owner to list the document items that can be changed, such as filling in specific fields, commenting on the document, or adding a new approval seal.

This made researchers interlocked in the security of the certification seal and carried out a systematic analysis of the change function of the certified file. 

And in this point, they found that the specification contained two security vulnerabilities, and here they are mentioned below:- 

  • Evil Annotation Attack (EAA).
  • Sneaky Signature Attack (SSA).

Whether it is an EAA vulnerability or SSA vulnerability, it can change the presentation of the content in the certified document, while retaining the validity of the certification stamp, without incurring any warnings. 

Among the 26 PDF applications tested, there are 24 apps that contain at least one of these security flaws. 

In addition, the researchers also analyzed whether these 26 programs comply with the PDF specifications in allowing annotations and signatures, and found that 11 programs did not comply with the requirements.

User Interface (UI) Layers

  • UI-Layer 1: Top Bar Validation Status.
  • UI-Layer 2: Detailed Validation and Information.
  • UI-Layer 3: PDF Annotations.

Evil Annotation Attack (EAA)

In a certified document by exploiting the annotations EAA shows the arbitrary content. Apart from this, the EAA eradicates the probity of the certification, because the P3 certified document allows adding annotations.

The security analysts have categorized all the annotations as per their danger level and abilities in EAA. While in the danger section of annotations, the experts have detected a total of three annotations that are:- 

  • Redact
  • FreeText
  • Stamp

Apart from these, there are some annotations that are categorized as per their low or none ability, and these annotations are limited in numbers. However, in this attack, the threat actors present all legitimate documents that easily allow them for inserting and annotations, but all these documents contain malicious links and content.

Not only this the analysts have also detected a bypass, that the PDF viewers easily detect the annotations by their specified Subtype. And this Subtype was used by different viewers as an editing tool, if the value of Subtype is missing or if it is symbolizing as a set to an unspecified value then the PDF viewer is not capable to detect this annotation.

Sneaky Signature Attack (SSA)

The main motive of SSA is to exploit the form and features of arbitrary content in the PDF. It operates by including the overlaying signature of all the details of the annotation to a PDF document, and all documents are certified at the P2 level with the features of signing the documents and filling out the forms.

However, in SSA the level of danger is quite low, and all the value of these attacks was saved or stored in the fields. Once the attackers signed a self-signed certificate for SSA, then they are ready for the SSA attacks.

According to the experts, after opening the files, if the victims find any suspicious documents they simply refuse the document, though if the certification is legitimate.

On the other hand, Adobe also contains an additional vulnerability that allows hackers to execute JavaScript code in authenticated documents, posing the risk of code injection attacks.

During their analysis, the researchers have evaluated all the 26 PDF apps, and among them, 15 apps are vulnerable to EAA and SSA attacks.

Here the Adobe Acrobat Reader with CVE-2021-28545 and CVE-2021-28546, Foxit Reader with CVE-2020-35931, and Nitro Pro are vulnerable to EAA attack. While other apps like Soda PDF Desktop, PDF Architect, and six others are vulnerable to SSA attacks.

Apart from this, currently, Adobe, Foxit, and LibreOffice have already patched all the related vulnerabilities, and researchers are also working jointly with the global standards organization to develop a new generation of PDF specifications to fix the defects of existing specifications.

We have already reported earlier about similar attacks that bypassing the signature validation in PDF. Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content.

You can follow us on LinkedinTwitterFacebook for daily Cybersecurity and hacking news updates.


Latest articles

Hackers Using Weaponized Invoice to Deliver LUMMA Malware

Hackers use weaponized invoices to exploit trust in financial transactions, embedding malware or malicious...

US-Seized Crypto Currency Mixer Used by North Korean Lazarus Hackers

The U.S. Treasury Department sanctioned the famous cryptocurrency mixer Sinbad after it was claimed...

CISA Warns Hackers Exploiting Wastewater Systems Logic Controllers

In a disconcerting turn of events, cyber threat actors have set their sights on...

Zyxel Command Injection Flaws Let Attackers Run OS Commands

Three Command injection vulnerabilities have been discovered in Zyxel NAS (Network Attached Storage) products,...

North Korean Hackers Attacking macOS Using Weaponized Documents

Hackers often use weaponized documents to exploit vulnerabilities in software, which enables the execution...

Most Popular Websites Still Allow Users To Have Weak Passwords

The latest analysis shows that tens of millions of people are creating weak passwords...

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles