The cybersecurity researchers at the Ruhr University Bochum, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institute for IT-Security have recently discovered two new exploits to break the Certified PDF documents.
By exploiting these two flaws a hacker can easily and secretly modify the content of documents with Certiﬁcation Signatures.
In total, the security experts have analyzed 26 PDF applications, and among them, they have detected 24 applications vulnerable to these two security flaws.
Hacking Methods to Break the Certified PDF Docs
The analysts explained that there is two types of digital signatures are assigned in the PDF specification and here they are:-
- One is “Approval Signatures,” which are used to prove the status of a specific document. As a document can have different signatures, but any changes to the document will cause the signature to be invalid.
- While the other one is the “Certification Signatures,” and it provides a more flexible digital signature file. Although it can only have one certification signature, as it allows the file owner to list the document items that can be changed, such as filling in specific fields, commenting on the document, or adding a new approval seal.
This made researchers interlocked in the security of the certification seal and carried out a systematic analysis of the change function of the certified file.
And in this point, they found that the specification contained two security vulnerabilities, and here they are mentioned below:-
- Evil Annotation Attack (EAA).
- Sneaky Signature Attack (SSA).
Whether it is an EAA vulnerability or SSA vulnerability, it can change the presentation of the content in the certified document, while retaining the validity of the certification stamp, without incurring any warnings.
Among the 26 PDF applications tested, there are 24 apps that contain at least one of these security flaws.
In addition, the researchers also analyzed whether these 26 programs comply with the PDF specifications in allowing annotations and signatures, and found that 11 programs did not comply with the requirements.
User Interface (UI) Layers
- UI-Layer 1: Top Bar Validation Status.
- UI-Layer 2: Detailed Validation and Information.
- UI-Layer 3: PDF Annotations.
Evil Annotation Attack (EAA)
In a certified document by exploiting the annotations EAA shows the arbitrary content. Apart from this, the EAA eradicates the probity of the certification, because the P3 certified document allows adding annotations.
The security analysts have categorized all the annotations as per their danger level and abilities in EAA. While in the danger section of annotations, the experts have detected a total of three annotations that are:-
Apart from these, there are some annotations that are categorized as per their low or none ability, and these annotations are limited in numbers. However, in this attack, the threat actors present all legitimate documents that easily allow them for inserting and annotations, but all these documents contain malicious links and content.
Not only this the analysts have also detected a bypass, that the PDF viewers easily detect the annotations by their specified Subtype. And this Subtype was used by different viewers as an editing tool, if the value of Subtype is missing or if it is symbolizing as a set to an unspecified value then the PDF viewer is not capable to detect this annotation.
Sneaky Signature Attack (SSA)
The main motive of SSA is to exploit the form and features of arbitrary content in the PDF. It operates by including the overlaying signature of all the details of the annotation to a PDF document, and all documents are certified at the P2 level with the features of signing the documents and filling out the forms.
However, in SSA the level of danger is quite low, and all the value of these attacks was saved or stored in the fields. Once the attackers signed a self-signed certificate for SSA, then they are ready for the SSA attacks.
According to the experts, after opening the files, if the victims find any suspicious documents they simply refuse the document, though if the certification is legitimate.
During their analysis, the researchers have evaluated all the 26 PDF apps, and among them, 15 apps are vulnerable to EAA and SSA attacks.
Here the Adobe Acrobat Reader with CVE-2021-28545 and CVE-2021-28546, Foxit Reader with CVE-2020-35931, and Nitro Pro are vulnerable to EAA attack. While other apps like Soda PDF Desktop, PDF Architect, and six others are vulnerable to SSA attacks.
Apart from this, currently, Adobe, Foxit, and LibreOffice have already patched all the related vulnerabilities, and researchers are also working jointly with the global standards organization to develop a new generation of PDF specifications to fix the defects of existing specifications.
We have already reported earlier about similar attacks that bypassing the signature validation in PDF. Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content.