![]() A PDF document can be updated or annotated without losing previous revisions and defines specific actions, for example, to display a specific page once the viewer opens the document. The PDF standard supports numerous advanced features, ranging from cryptography to calculation logic, 3D animations, JavaScript, up to form fields. (4) Code execution on the victim’s machine. (3) Data manipulation on the victim’s system. (2) Information disclosure attacks leaking personal data out of the victim’s computer. These dangerous paths lead to attacks that we categorize into four generic classes: (1) Denial-of-Service attacks affecting the host that processes the document. Instead of focusing on implementation bugs, we abuse legitimate features of the PDF standard itself by systematically identifying dangerous paths in the PDF file structure. This time, we perform an in-depth analysis of the capabilities of malicious PDF documents. It is common to open PDF files from potentially untrusted sources such as email attachments or downloaded from the Internet. Technical Details Insecure Features in PDFs (January 2021) Alternatively, you can use the provided Exploits to test your application. If you use another Reader, you should contact the support team for your application. We are the first to reveal that this behavior allows attackers to directly embed malicious code into a certified document. Our research reveals that such code is also executed if it is added as an allowed incremental update. For example, a high-level JavaScript can call an arbitrary URL without user confirmation to deanonymize a user. The detailed results of our study can be found in the Evaluation and in our Paper (S&P'21).Ĭode Injection Attack on Adobe: Only certified documents may execute high privileged JavaScript code in Adobe products. We show that for 11 of 26 applications, a permission mismatch exists. Additionally, we analyzed 26 applications to determine whether the permissions for adding annotations and signatures, as defined in the PDF specification, were implemented correctly. ![]() We evaluated 26 PDF applications and were able to break the security of certified documents in 24 of them. Nevertheless, the certification remains valid and the application shows no warnings. These vulnerabilities allow an attacker to change the visible content of a PDF document by displaying malicious content over the certified content. To answer this question we systematically analyze the allowed modifications in certified documents and reveal two new vulnerabilities abusing flaws in the PDF specification: Evil Annotation Attack (EAA) and Sneaky Signature Attack (SSA). We investigate the following question: How dangerous are permitted changes in certified documents?. Hereafter, we use the terms certification and certified document for certification signatures. This certification signature must also be the first signature in the PDF. Since a certification signature sets permissions on the entire document, only one certification signature is allowed within a PDF document. ![]() These allowed modifications can be a subset of the following actions: writing text to specific form fields (even without signing the document), providing annotations to the document, or adding approval signatures. During the document’s certification, the owner defines a list of allowed modifications that do not invalidate the document’s certification signature. Hereafter, we use the terms signature and signed document for approval signatures.Ĭertification signatures provide a more powerful and flexible mechanism to handle digitally signed documents. Any other change on a signed document leads to an invalidation of the approval signature or warnings in most PDF viewers. The specification allows the usage of multiple signatures on the same document. The PDF specification defines two types of digital signatures:Īpproval signatures testify a specific document state.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |