The cybersecurity researchers at the Ruhr University Bochum, Faculty of Electrical Engineering and Information Technology, Horst Görtz Institute for IT-Security have recently discovered two new exploits to break the Certified PDF documents.
By exploiting these two flaws a hacker can easily and secretly modify the content of documents with Certification Signatures.
In total, the security experts have analyzed 26 PDF applications, and among them, they have detected 24 applications vulnerable to these two security flaws.
The analysts explained that there is two types of digital signatures are assigned in the PDF specification and here they are:-
This made researchers interlocked in the security of the certification seal and carried out a systematic analysis of the change function of the certified file.
And in this point, they found that the specification contained two security vulnerabilities, and here they are mentioned below:-
Whether it is an EAA vulnerability or SSA vulnerability, it can change the presentation of the content in the certified document, while retaining the validity of the certification stamp, without incurring any warnings.
Among the 26 PDF applications tested, there are 24 apps that contain at least one of these security flaws.
In addition, the researchers also analyzed whether these 26 programs comply with the PDF specifications in allowing annotations and signatures, and found that 11 programs did not comply with the requirements.
In a certified document by exploiting the annotations EAA shows the arbitrary content. Apart from this, the EAA eradicates the probity of the certification, because the P3 certified document allows adding annotations.
The security analysts have categorized all the annotations as per their danger level and abilities in EAA. While in the danger section of annotations, the experts have detected a total of three annotations that are:-
Apart from these, there are some annotations that are categorized as per their low or none ability, and these annotations are limited in numbers. However, in this attack, the threat actors present all legitimate documents that easily allow them for inserting and annotations, but all these documents contain malicious links and content.
Not only this the analysts have also detected a bypass, that the PDF viewers easily detect the annotations by their specified Subtype. And this Subtype was used by different viewers as an editing tool, if the value of Subtype is missing or if it is symbolizing as a set to an unspecified value then the PDF viewer is not capable to detect this annotation.
The main motive of SSA is to exploit the form and features of arbitrary content in the PDF. It operates by including the overlaying signature of all the details of the annotation to a PDF document, and all documents are certified at the P2 level with the features of signing the documents and filling out the forms.
However, in SSA the level of danger is quite low, and all the value of these attacks was saved or stored in the fields. Once the attackers signed a self-signed certificate for SSA, then they are ready for the SSA attacks.
According to the experts, after opening the files, if the victims find any suspicious documents they simply refuse the document, though if the certification is legitimate.
On the other hand, Adobe also contains an additional vulnerability that allows hackers to execute JavaScript code in authenticated documents, posing the risk of code injection attacks.
During their analysis, the researchers have evaluated all the 26 PDF apps, and among them, 15 apps are vulnerable to EAA and SSA attacks.
Here the Adobe Acrobat Reader with CVE-2021-28545 and CVE-2021-28546, Foxit Reader with CVE-2020-35931, and Nitro Pro are vulnerable to EAA attack. While other apps like Soda PDF Desktop, PDF Architect, and six others are vulnerable to SSA attacks.
Apart from this, currently, Adobe, Foxit, and LibreOffice have already patched all the related vulnerabilities, and researchers are also working jointly with the global standards organization to develop a new generation of PDF specifications to fix the defects of existing specifications.
We have already reported earlier about similar attacks that bypassing the signature validation in PDF. Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content.
You can follow us on Linkedin, Twitter, Facebook for daily Cybersecurity and hacking news updates.
A major dark web operation dedicated to circumventing KYC (Know Your Customer) procedures, which involves…
Adobe has issued a critical security update for ColdFusion versions 2023 and 2021 to address…
Two malicious Python packages, Zebo-0.1.0 and Cometlogger-0.1, were recently detected by Fortinet's AI-driven OSS malware…
A Brazilian man, Junior Barros De Oliveira, has been charged with multiple counts of cybercrime…
McDonald's India (West & South) / Hardcastle Restaurants Pvt. Ltd. operates a custom McDelivery web…
Cryptocurrency hacking incidents in 2024 surged 21.07% YoY to $2.2 billion, with 303 breaches reported,…