One of the key ways academics and researchers prevent cyberattacks is by finding flaws and vulnerabilities in software packages before hackers can. The Spectre and Meltdown vulnerabilities were found in this way and prompted major tech giants to find solutions before irreparable damage could be done. A team of academics from the Ruhr-University Bochum in Germany published a paper detailing how fifteen out of 27 desktop PDF viewers are susceptible to a new kind of attack, dubbed “Shadow Attack” by the team. The academics involved in the research and subsequent publishing of the research paper have already made quite a name for themselves uncovering other flaws that impact the widely used PDF file format.
Sifting through academic papers can be tedious work, overly formal language and jargon make it a trying endeavor even for professionals. That being said the report succinctly summed up the need and findings of the academic’s research in the opening paragraph, stating,
“Digitally signed PDFs are used in contracts, bills, and agreements to guarantee the authenticity and integrity of their content. A typical user would assume that digitally signed PDF files are final and cannot be further modified. However, various changes like adding annotations to a signed PDF or filling out form fields are allowed and do not invalidate PDF signatures.
In this report, we show that this flexibility allows attackers to completely change a document’s content while keeping the original signature validation status untouched. Our attacks work in a novel attacker model, which allows attackers hiding content in a PDF. After signing this PDF by a benign entity, the attackers reveal the hidden content by using permitted manipulations.”
At the risk of oversimplifying the academics’ work, a “Shadow Attack” involves the attacker maliciously abusing the PDF functionality to add layers, referred to as “view layers”, to a document for the purposes of committing cybercrime.
The academics showed that an attacker using the method uncovered by the team could prepare a document with a number of layers that could present a malicious layer over a benign one. The receiver of the document could sign what they believe to be an authentic document and sign the benign layer. Once the attacker receives the document back they can remove the signed layer and attach it to other layers that serve the attacker's intent. This works because changing the layer's visibility doesn't break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions. For example, the attacker could perceivably replace the payment recipient or sum in a PDF payment order or alter contract clauses.
The research team discovered that this attack method can be used in three separate ways which include:
- Hide: when attackers use the PDF standard's Incremental Update feature to hide a layer, without replacing it with anything else.
- Replace: when attackers use the PDF standard's Interactive Forms feature to replace the original content with a modified value.
- Hide-and-Replace: when attackers use a second PDF document contained in the original document to replace it altogether.
Hide and Replace
According to the academics, the hide and replace attack method is potentially the most powerful of the three as it can enable the attacker to change any and all the content that makes up a document. This allows the attacker to build a complete shadow document to be used as they wish. The researchers go into greater detail describing how this is done, stating,
“In this attack variant, the attackers create a shadow PDF document, which is sent to the signers. The PDF document contains a hidden description of another document with different content. Since the signers cannot detect the hidden (malicious) content, they sign the document. After signing, the attackers receive the document and append-only a new Xref table table and Trailer. Within the Xref table table, only one change takes place - the reference to the document /Catalog (or any other hidden object) which now points to the shadow document.”
The attack method is not foolproof and does come with a major disadvantage. Many PDF viewers will remove unused objects within the document as a matter of course meaning that the shadow elements crafted by the attacker could be removed. This would effectively render the attack fairly useless. The academics also suggested that a security scanner could detect these unused objects and issue a warning. The bad news is that currently none of the disadvantages could occur in the wild.
The academics did share their findings with the CERT-Bund (Computer Emergency Response Team of Germany) and have been in contact with the companies whose PDF viewers are susceptible to a Shadow Attack. The research led to the logging of two separate vulnerabilities, CVE-2020-9592 and CVE-2020-9596. Patches to these vulnerabilities have been made available to the public and network administrators are advised to ensure the latest patches have been applied. For the purposes of identity theft and other types of fraud by being able to abuse digital signatures on a file format widely used and perceived to be secure the attack method discovered by the academics can be a major ally in an attacker's toolset.
Other PDF Signature Attacks
As mentioned above the academic team has developed quite a reputation for discovering security loopholes in PDF digital signatures. In February 2019, the team published a paper detailing how they developed a method which broke the digital signing mechanism on 21 of 22 desktop PDF viewer apps and five of seven online PDF digital signing services to create documents with fake signatures. This attack method relies on breaking or tampering with the digital signature, while a Shadow Attack does not. In the paper, several methods to tamper with signatures were presented. The attack methods include:
- Universal Signature Forgery (USF) - vulnerability lets attackers trick the signature verification process into showing users a fake panel/message that the signature is valid.
- Incremental Saving Attack (ISA) - vulnerability lets attackers add extra content to an already signed PDF document via the "incremental saving (incremental update)" mechanism, but without breaking the already-existing signature.
- Signature Wrapping (SWA) - vulnerability is similar to ISA, but the malicious code also contains extra logic to fool the signature validation process into "wrapping" around the attacker's extra content, effectively digitally signing the incremental update.
What the methods have in common is in what would constitute a successful attack. The academics defined a successful attack as,
“An attack is considered successful if the manipulated content is displayed by the viewer application and no warnings or errors regarding a detected modification of the
document after the signature was applied are displayed. The success of an attack can be classified depending on two UI-Layers we defined:
UI-Layer 1 represents the first UI information regarding the signature validation displayed to the user after opening the PDF.
UI-Layer 2 represents the information accessible through different GUI options available in the viewer. This includes both clicking on visible signature appearances and opening signature panels or explicitly executing certain program functionalities like “validating all signatures”. If the information presented on the UI-Layer 2 states that the signature is invalid or the document has been modified after the application of the signature the attack can still be classified as successful for UI-Layer 1.”
Uncovering the various methods a PDF signature can be manipulated is important, in that many businesses rely on the protections the file format offers so that business can be conducted in many cases. The integrity of digital signatures then is vitally important to the levels of trust needed to conduct business between parties. While the methods mentioned above require the attacker to have an in-depth knowledge of the file format as well as be able to manipulate code associated with it, it is indeed possible as shown by the academics, that a trusted application can be manipulated. In the past hackers have relied upon other methods to steal information and distribute malware via the file format. Such research plays a pivotal role in defending the public at large but this does require action to be taken. Action in this case is as simple as always insuring your PDF viewer is kept up to date.