Shadow attacks allow replacing content in signed PDF files

Boffins from the Ruhr University Bochum (Germany) have disclosed a series of new attack methods, dubbed Shadow attacks, against signed PDF files.

Security researchers from the Ruhr University Bochum (Germany) have devised a series of new attack techniques, dubbed Shadow attacks, against signed PDF files.

In February 2019, the same team of experts found several flaws in popular PDF viewers and online validation services that allow to deceive the digital signature validation process.

Shadow attacks can allow an attacker to manipulate the content of a signed PDF document keeping its signature valid. The attacker can create a document with two different contents:

• the content expected by the authority reviewing and signing the PDF;
• the hidden content that will be displayed once the PDF document will be signed.

“The Signers of the PDF receive the document, review it, and sign it. The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the Signers,” wrote the researchers.

The researchers devised three different variants of the Shadow Attacks, allowing to Hide, Replace, and Hide-and-Replace content in digitally signed PDFs.

The experts tested their attacks against 28 PDF viewer applications and discovered that 15 of them were vulnerable to at least one of the attacks. The list of vulnerable viewers includes Adobe, Foxit, and LibreOffice.

The software firms behind these three applications have already released security fix to prevent Shadows attacks, unfortunately, many other companies behind impacted apps did not respond to the researchers.

The vulnerabilities exploited by the researchers in the Shadow attacks are tracked as CVE-2020-9592 and CVE-2020-9596.

The “Hide” variant of the Shadow Attacks consists in hiding a portion of the content in a PDF behind another layer, such as a full-page image. The attacker sends a document to the signer that contains an image placed on top of the content to hide. Once the document has been signed and sent back to the attacker, they can manipulate it to hide the image from the PDF viewer.

The “Replace” attack sees the attacker appending an object to a signed document, the object is considered harmless and can impact the way the content is presented.

“The main idea of the *Replace* variant is to append new objects to the signed document which are considered harmless but directly influence the presentation of the signed content.” continues the experts.

“For instance, the (re)definition of fonts does not change the content directly. However, it influences the view of the displayed content and makes number or character swapping possible.”

The last attack, the “Hide-and-Replace” variant, allows an attacker to change the entire content of a signed document. The attacker inserts both hidden and visible content into the document using two objects that have the same object ID, and sends it to the signer. Once the attacker receives the signed document, they will append a new Xref table and a new Trailer so that the hidden content is displayed.

“In Hide-and-Replace attack variant, the PDF document contains a second, hidden document with different content. Since the signers cannot detect the hidden (malicious) content, they sign the document. After signing, the attackers receive the document and append only a new Xref table table and Trailer. Within the Xref table table, only one change takes place: the reference to the Description.” the experts explained.

Experts shared all the exploits here.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Shadow attacks)

[adrotate banner=”5″]

[adrotate banner=”13″]