Researchers Show How Digitally Signed PDFs Can Be ManipulatedAttackers Could Use Tactic to Insert Malicious Content
Hackers could manipulate certain digitally signed PDF documents to add malicious content, according to a study by researchers at Germany's Ruhr University of Bochum. The researchers found 16 PDF apps vulnerable to such vulnerability exploits.
"The central concept of shadow attacks is that the attackers prepare a PDF document by injecting invisible content – shadow content," the report notes. "Despite the integrity protection provided by the digital signature, the attackers can modify the signed shadow document and change the shadow content’s visibility. Nevertheless, the manipulation is not detected, and the digital signature remains valid."
As a result, attackers could use the shadow document to add, remove or replace the content in digitally signed PDFs before validation of the signature. This can apply to contracts, invoices and other documents using secure signatures. Recipients of the altered documents see different content than the person who signed it.
The researchers who tested the technique found that 16 of 29 PDF apps were vulnerable to shadow attacks. These included Adobe Acrobat, Foxit Reader, Perfect PDF and Okular.
The researchers provided a detailed vulnerability report to Germany's CERT-Bund. "Some of the vendors contacted us regarding a re-test of their countermeasures, which we also provided," the researchers say.
Tests by the university researchers determined that after an attacker injected shadow document details before a PDF was signed, they could:
- Hide content: The attackers could overlay images or form fields to the hide the content.
- Replace content: Attackers could change the document's visible content by adding malicious content before the PDF is signed instead of modifying the PDF after the signature has been applied.
- Hide and replace content: Because the PDF signers cannot detect the hidden content, the attackers could send a shadow PDF with a hidden description of another document within the invisible document. After signing, the attacker could append the document with the hidden content.
The report notes the shadow attack in Adobe Reader resulted in researchers achieving privilege escalation on Adobe products that allowed them to perform highly privileged actions on victims’ computers.
This month, Adobe released patches for several other critical vulnerabilities in Adobe Reader and other critical bugs in Adobe Acrobat, Magento, Photoshop, Animate, Illustrator and Dreamweaver.
In November, the company released patches for 14 vulnerabilities in Adobe Acrobat and Reader for Windows and macOS which, when exploited, could lead to remote code execution.