- Author | yannichen
- Source|FreeBuf
- Release time|2021-02-24
According to a report from The Hacker News on February 23, researchers have recently demonstrated a new type of PDF document attack. Attackers can perform malicious operations such as hiding, tampering or replacing the content of the document while ensuring that the digital signature of the document is valid. Common operations There are replacement payees, payment orders or changes to contract terms, etc.
This attack technique is called "shadow attack" by scholars at the Ruhr University in Bochum, Germany. Its main attack principle is the concept of "view layer", which is different sets of overlapping contents in PDF documents. It uses "PDF's flexible technical specifications to make shadow files run within the scope of standard compliance."
The results of the research were published at the Network and Distributed System Security Symposium (NDSS) on February 22. Of the 29 PDF readers tested, 16 are vulnerable to shadow attacks-including Adobe Acrobat, Foxit Reader, Perfect PDF and Okular.
The research team stated that there are three variants of the shadow attack:
- Hide: The attacker uses the incremental update function in the PDF specification to hide a certain layer of content.
- Replacement: The attacker uses the "interactive form" function in the PDF specification to replace the original content with the modified content.
- Hide and replace: The attacker completely replaces it with the second PDF document contained in the original document.
In the attack, the attacker will create a PDF document with two different contents: one is the content expected by the document signer, and the other is the hidden content only after the document is signed.
"After receiving the document, the signer of the PDF will conduct regular review and signing," the researcher explained. "The attacker obtains the signed document and slightly tampered with it and sends it to the victim. After receiving the document, the victim checks the digital signature. Was it successfully verified, but what the victim saw was the tampered content."
In the simulated world, this attack is equivalent to deliberately leaving a space in a paper document for relevant parties to sign, and the attacker can insert any content in the space.
The research team added that hiding and replacing is the most harmful variant attack because it can replace the content of the entire document. "An attacker can create a complete shadow document, affecting the presentation of each page, and even the total number of pages and the display of each content contained in it."
The key to the attack is to use the native PDF functions that do not invalidate the signature, such as the "incremental update" function (such as filling in forms) that allows modification of the PDF and the "interactive form" function (such as text fields, radio buttons, etc.) , Hide the malicious content behind the seemingly harmless covered object, or directly replace the original content after signing.
Simply put, the idea is to create a form that displays the same content before and after signing, but after tampering with the attacker, it displays a completely different set of content.
To test the attack, the researchers released two new open source tools PDF-Attacker and PDF-Detector. These two tools can be used to generate shadow files and detect tampering before signing and after modification.
The vulnerabilities exploited by this shadow attack are tracked and coded as CVE-2020-9592 and CVE-2020-9596. Adobe addressed the threat in an update released on May 12, 2020. But as of December 17, 2020, 11 of the 29 PDF readers tested are still unfixed.
According to reports, the shadow attack is based on a similar threat designed by researchers in February 2019. At that time, researchers discovered that this type of threat could modify the document while ensuring that the signature is valid, making it possible to forge PDF documents.
Although the manufacturer has since taken security measures to fix the problem, the new research aims to expand this attack model to verify whether the attacker can modify the visible content of the document while ensuring that the signature is valid.
This is not the first time that PDF security issues have received attention. Researchers have previously demonstrated a method of extracting password-protected PDF documents, using part of the encryption technology supported by the PDF specification, once the user opens the document, the content can be remotely exuded.
In addition, researchers discovered another set of 11 vulnerabilities (CVE-2020-28352 to CVE-2020-28359 and CVE-2020-28410 to CVE-2020-28412) affecting the PDF standard last month. These vulnerabilities may lead to Access denied, information leakage, data manipulation attacks, and even arbitrary code execution.
