Most enterprises can’t do without PDF in daily office. However, a vulnerability in PDF certification can change the content of the document, which means that sensitive information in the document can be changed or stolen, resulting in financial losses.

Cybersecurity researchers have revealed two new attack techniques for vulnerabilities in certified PDF documents that allow attackers to alter the document’s visible content by adding malicious content without invalidating the signature.

The researchers say the new attack takes advantage of the flexibility of the PDF authentication system, which allows authentication documents to be signed or annotated at different levels of authority.

Two new ways to modify certified PDF documents

Both types of attacks that modify certified PDF documents — known as Evil Annotation and Sneaky Signature attacks — rely on manipulating the PDF certification process by exploiting system vulnerabilities in the specification, This specification governs the implementation of digital signatures (aka approval signatures) and their more flexible variants (called authentication signatures).

Authentication signatures also allow for different subsets of modifications to PDF documents based on the level of permission set by the authenticator, including the ability to write text to specific form fields, provide comments, and even add multiple signatures.

Evil Annotation Attack (EAA) works by exploiting a system vulnerability to modify an authenticated document that is set to insert comments to contain malicious code and then send it to the victim. The logic behind the Sneaky Signature Attack (SSA), on the other hand, manipulates the look and feel by adding overlapping Signature elements to documents that allow filling in form fields through a system vulnerability.

In a hypothetical attack scenario, the verifier creates an authentication contract that contains sensitive information while allowing additional signatures to be added to the PDF contract. By exploiting these permissions an attacker can modify the contents of a document, for example, by manipulating the contract to display an international bank account number (IBAN) and fraudulently transfer funds without the victim’s knowledge.

Attack effect

After evaluating 26 PDF applications, Including Adobe Acrobat Reader (Vulnerability CVE-2021-28545 and CVE-2021-28546), Foxit Reader (vulnerability CVE-2020-35931) and Nitro Pro, 15 of which are vulnerable to EAA attacks. And enable the attacker to improve the visible content of the document. Oda PDF Desktop, PDF Architect, and six other applications are vulnerable to SSA attacks.

The study also found a more serious problem with the EAA and SSA using such code as incremental updates to authentication documents, which can execute highly privileged JavaScript code in Adobe Acrobat Pro and Reader, such as redirecting users to malicious websites, Adobe addressed this system vulnerability in a November 2020 patch update (CVE-2020-24432).

Prevention advice

To defend against attacks against this type of system vulnerability, it is recommended to prohibit the use of FreeText, Stamp, and Redact annotations, and to ensure that signature fields are set in a specified location in the PDF document prior to authentication, and to prohibit any subsequent addition of signature fields with invalid certificates.

Although neither the EAA nor the SSA can change the content itself, comments and signature fields can be used to add new content for overwriting, and victims who open a PDF can’t distinguish these additions from normal content. Worse, comments can be embedded with highly privileged JavaScript code, allowing them to be added to specific authenticated documents. Zhongke tianqi reminds everyone that when using Adobe series of applications and PDF documents, we should repair the known vulnerabilities in time and strengthen the awareness of network security, vigilance against criminal attacks.

And read the links: www.woocoom.com/b021.html?i…