In recent years, we have presented How to Spoof PDF Signatures and Shadow Attacks: Hiding and Replacing Content in Signed PDFs, which describe attacks on PDF signatures under various attack scenarios. The attacks focused on so-called approval signatures. However, in addition to signing PDFs, the PDF specification also specifies the certification of documents, also known as certification signatures.
To close this research gap, we performed an extensive analysis of the security of PDF certification. In doing so, we developed the Evil Annotation Attack (EAA), as well as the Sneaky Signature Attack (SSA). The attack idea exploits the flexibility of PDF certification, which allows signing or adding annotations to certified documents under different permission levels. Our practical evaluation shows that an attacker could change the visible content in 15 of 26 viewer applications by using EAA and in 8 applications using SSA by using PDF specification compliant exploits. We improved both attacks' stealthiness with applications' implementation issues and found only two applications secure to all attacks.
PDF Structure and Basics
The PDF specification additionally defines interactive elements that allow user input into the document. Such elements are separated in two categories: forms and annotations.
Forms. PDF forms allow user input in a predefined mask, such as a text field, a radio button, or a selection box. Facilities, such as the administration, usually use forms to create PDF documents with predefined areas which are intended to be filled out by users. The user input is, however, limited to the defined form fields and cannot change other content within the PDF.
Annotations. Annotations introduce a different method for a user input by allowing a user to put remarks in a PDF document like text highlighting, strikeouts, or sticky notes. Annotations are not limited to predefined places within the PDF and can be applied everywhere within the document.
An Incremental Update introduces a possibility to extend a PDF by appending new information at the end of the file, see Inc. Update 1 in the figure above. In this way, the original document stays unmodified and a revision history of all document changes is kept. Each Incremental Update defines new objects, a new xref table, and a new trailer. An example of an Incremental Update is the inclusion of an certification, signature, annotation, or the filling out forms within a PDF.
UI-Layer 1: Top Bar Validation Status. UI-Layer 1 is usually displayed immediately after opening. Typical applications use a clearly visible bar on top of the PDF content. The status of the certification and signatures validation is provided as a text (e.g., valid/invalid), often combined with green, blue or red background colors, cf. figures in EAA and SSA sections.
Difference between Signed and Certified Documents
By signing a PDF document, a Signature object is created. This object contains the trusted public keys to verify the document, the signature value, the range of bytes that are protected by the signature, and a userfriendly information regarding the signer of the document. The Signature object is usually added to the PDF document by using an Incremental Update.
Certified Documents
P3: In addition to P2, annotations are also allowed.
Evil Annotation Attack (EAA)
Evaluating Permission P3. According to the specification, the following changes in a certified document with P3 are allowed: 1) adding/removing/modifying annotations, 2) fillingout forms, 3) and signing the document. We started with an in-depth analysis of all annotations and their features. We evaluated 28 different annotations and classified these with respect to their capabilities and danger level. The results are depicted in the Table on the right side and will be further explained.
Danger Level of Annotations. We determined three annotations with a danger level high capable to hide and add text and images: FreeText, Redact, and Stamp. All three can be used to stealthily modify a certified document and inject malicious content. In addition, 11 out of 28 annotations are classified as medium since an attacker can hide content within the certified document. The danger level of the remaining annotations is classified as low or none since such annotations are either quite limited or not allowed in certified documents.
Attacking with Annotations. According to our attacker model, the attacker possesses a validly certified document allowing the insertion of annotations. To execute the attack, the attacker modifies a certified document by including the annotation with the malicious content at a position of attacker's choice. Then, the attacker sends the modified file to the victim who verifies the digital signature. The victim could detect the attack if it manually opens UI-Layer 3 or clicks on the annotation. However, none of the tested PDF applications opened UI-Layer 3 automatically. Additionally, the attacker can lock an annotation to disable clicking on it.
Improving the stealthiness of EAA
Special Modifications
Sneaky Signature Attack (SSA)
The idea of the Sneaky Signature Attack (SSA) is to manipulate the appearance of arbitrary content within the PDF by adding overlaying signature elements to a PDF document that is certified at level P2.
Evaluating Permission P2. According to the specification, the following changes in a certified document with P2 are allowed: filling-out forms, and signing the document. We started the analysis of forms as depicted in the table on the right side and evaluated their capabilities.
Danger Level of Forms. According to our analysis, the danger level was none because the insertion of new form elements, customizing the font size and appearance, and removing form elements is prohibited. The only permitted change is on the value stored in the field. Thus, an attacker is not able to create forms which hide arbitrary content within the PDF document. Surprisingly, these restrictions are not valid for the signature field. By inserting a signature field, the signer can define the exact position of the field, and additionally its appearance and content. This flexibility is necessary since each new signature could contain the signer's information. The information can be a graphic, a text, or a combination of both. Nevertheless, the attacker can misuse the flexibility to stealthy manipulate the document and insert new content.
Attacking with Forms: SSA. The attacker modifies a certified document by including a signature field with the malicious content at a position of attacker's choice. The attacker then needs to sign the document, but he does not need to possess a trusted key. A self-signed certificate for SSA is sufficient. The only restriction is that the attacker needs to sign the document to insert the malicious signature field. This signing information can be seen by opening the PDF document and showing detailed information of the signature validation. In this case, the victim opening the file can get suspicious and refuse to accept the document, even though the certification is valid.
Improving the stealthiness of SSA
Evaluation
Authors of this Post
Vladislav Mladenov
Christian Mainka
Jörg Schwenk
Acknowledgments
Continue reading
- Easy Hack Tools
- Pentest Tools List
- Hacking Tools Mac
- Hacking Tools For Windows Free Download
- Hackrf Tools
- Best Hacking Tools 2019
- Hack Tools Mac
- Hack Tools 2019
- Hack App
- Hacker Tools For Ios
- Hacking Tools Name
- Hacker Tools Free
- Pentest Tools Linux
- Hacking Tools For Windows
- Hacking Tools For Windows Free Download
- Hacker Tools For Pc
- Computer Hacker
- Hack Tools For Ubuntu
- Hacker Tools Apk Download
- Nsa Hack Tools Download
- Hacking Tools For Mac
- Hack Tools 2019
- Hacking Tools For Pc
- Nsa Hack Tools Download
- Pentest Tools Free
- Top Pentest Tools
- Hacking Tools Github
- Hack Tools For Ubuntu
- Hacker Tools For Pc
- Hacking Tools For Beginners
- Pentest Tools Nmap
- Usb Pentest Tools
- Hacker Tools Mac
- Pentest Automation Tools
- Ethical Hacker Tools
- Pentest Tools Website
- Free Pentest Tools For Windows
- Hacker Tools Apk
- Pentest Tools Open Source
- Hacking Tools For Windows 7
- Hacker Tools Hardware
- Ethical Hacker Tools
- Pentest Tools Tcp Port Scanner
- Hacker Tool Kit
- Pentest Tools For Mac
- Hacker Tools For Pc
- Hack Tools Mac
- Hacker Hardware Tools
- Hacking Tools 2020
- Hacking Tools Software
- Hacking Tools Usb
- Hackrf Tools
- Hack Tools Github
- Hacker Tools Linux
- Pentest Tools Website
- Hack Tools Online
- Hacker Tools For Ios
- Pentest Tools Alternative
- Hack Tools Pc
- Hack Tools For Mac
- Hacking Tools Pc
- Hack Website Online Tool
- Hacking Tools Kit
- Bluetooth Hacking Tools Kali
- How To Install Pentest Tools In Ubuntu
- Hacker Tools For Pc
- Pentest Tools Tcp Port Scanner
- Hacker Search Tools
- Pentest Tools Subdomain
- Pentest Tools Tcp Port Scanner
- Hacks And Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Mac
- Hacking Tools Free Download
- Install Pentest Tools Ubuntu
- Pentest Tools Framework
- Beginner Hacker Tools
- Pentest Tools Alternative
- Hacker Tools Online
- Hack And Tools
- Hacking Tools
- Hacking Tools For Windows Free Download
- Hacking Tools Hardware
- Hacking Apps
- Pentest Tools Kali Linux
- Usb Pentest Tools
- Hackers Toolbox
- Hacker Tools Mac
- Pentest Tools Online
- Install Pentest Tools Ubuntu
- Hacker Tools Free Download
- New Hack Tools
- Hacking Tools Pc
- Hacker Tool Kit
- Hack Tools Mac
- Hacks And Tools
- Hacker Tools For Ios
- Hacking Tools 2020
- Best Hacking Tools 2019
- Kik Hack Tools
- Pentest Tools Review
- Hacking Tools For Games
- New Hacker Tools
- Hack Tools For Games
- Pentest Tools For Ubuntu
- Hacker Tools Github
- Bluetooth Hacking Tools Kali
- Pentest Tools Website Vulnerability
- Pentest Tools Bluekeep
- Beginner Hacker Tools
- Hack Tools Pc
- Hacking Tools For Windows 7
- Hacking Tools 2019
- Pentest Tools Bluekeep
- Pentest Tools Alternative
- Computer Hacker
- Pentest Tools Website Vulnerability
- Pentest Tools Kali Linux
- Best Hacking Tools 2019
- Hacker Techniques Tools And Incident Handling
- Hak5 Tools
- Pentest Tools Free
- Hack Tools 2019
- Pentest Tools Github
- What Is Hacking Tools
- How To Install Pentest Tools In Ubuntu
- Hacking Tools Mac
- Nsa Hack Tools Download
- Hack App
- Pentest Tools Github
- World No 1 Hacker Software
- Computer Hacker
- Best Hacking Tools 2019
- Hacks And Tools
- How To Hack
- Hack Tool Apk No Root
- Hacker Tools Mac
- Pentest Tools Windows
- Hack Tools Pc
- Hacking Tools
- Hacking Tools For Windows Free Download
- Pentest Tools Apk
- World No 1 Hacker Software
- Hacking Tools For Mac
- Pentest Tools For Ubuntu
- Blackhat Hacker Tools
- Hack Website Online Tool
- Hack Tools Mac
- Hacker Tools 2019
- Pentest Tools Android
- Hack And Tools
- Android Hack Tools Github
- Best Hacking Tools 2019
- New Hacker Tools
- Hacking Tools For Windows 7
- Hack Tool Apk
- Black Hat Hacker Tools
- Hacker
- Growth Hacker Tools
- Hak5 Tools
- Hacker Tools 2019
- Hak5 Tools
- Hacking Tools Download
- Hackrf Tools
- Hack App
- Pentest Tools Website Vulnerability
- Hacking Tools 2020
- Hacker Tools Free Download
- Hacking Tools Mac
- Tools 4 Hack
- Best Hacking Tools 2020
- Best Hacking Tools 2019
- Hacking Tools And Software
- Tools Used For Hacking
- Hack Tools Mac
- What Are Hacking Tools
- Usb Pentest Tools
- Tools 4 Hack
No comments:
Post a Comment