Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs:
Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain standard-compliant."
The findings were presented yesterday at the Network and Distributed System Security Symposium (NDSS), with 16 of the 29 PDF viewers tested — including Adobe Acrobat, Foxit Reader, Perfect PDF, and Okular — found vulnerable to shadow attacks.
To carry out the attack, a malicious actor creates a PDF document with two different contents: one which is the content that's expected by the party signing the document, and the other, a piece of hidden content that gets displayed once the PDF is signed.
"The signers of the PDF receive the document, review it, and sign it," the researchers outlined. "The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the signers."
In the analog world, the attack is equivalent to deliberately leaving empty spaces in a paper document and getting it signed by the concerned party, ultimately allowing the counterparty to insert arbitrary content in the spaces.
Shadow attacks build upon a similar threat devised by the researchers in February 2019, which found that it was possible to alter an existing signed document without invalidating its signature, thereby making it possible to forge a PDF document.
[...] At its core, the attacks leverage "harmless" PDF features which do not invalidate the signature, such as "incremental update" that allows for making changes to a PDF (e.g., filling out a form) and "interactive forms" (e.g., text fields, radio buttons, etc.) to hide the malicious content behind seemingly innocuous overlay objects or directly replace the original content after it's signed.
A third variant called "hide and replace" can be used to combine the aforementioned methods and modify the contents of an entire document by simply changing the object references in the PDF.
See the original story for pictures which help explain the attack as well as the list of vulnerable applications and versions thereof on Windows, macOS, and Linux. Several other PDF vulnerabilities and corresponding CVEs are also listed.
(Score: 0) by Anonymous Coward on Thursday February 25 2021, @10:15PM (17 children)
So many problems in our computing lives stem from two sources:
* Flash - now finally almost in its grave
* PDF - nevermind the super-spyware "Adobe PDF Reader"
Note please, for the record, that both these technologies come from Adobe.
(Score: 2) by maxwell demon on Thursday February 25 2021, @10:23PM (1 child)
Actually Flash originally didn't come from Adobe; they just bought it.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 0) by Anonymous Coward on Friday February 26 2021, @01:50AM
Macromedia, if I remember correctly.
(Score: 2) by sjames on Thursday February 25 2021, @10:26PM (4 children)
We need an anti-marketing slogan: "Adobe! You'll shit a brick!"
(Score: 0) by Anonymous Coward on Friday February 26 2021, @03:34AM (2 children)
"Adobe! We'll brick your shit!" Sounds better ;)
(Score: 2) by hendrikboom on Saturday February 27 2021, @07:42PM (1 child)
Isn't dried shit a building material in some parts of the world?
Or is that just for fuel?
-- hendrik
(Score: 0) by Anonymous Coward on Saturday February 27 2021, @10:38PM
Both.
(Score: 0) by Anonymous Coward on Friday February 26 2021, @09:31PM
(Score: 2) by looorg on Thursday February 25 2021, @10:36PM (4 children)
PDF started out pretty good as I recall it, as some sort of postscript+ document. Then as they started to add more and more "features" (filling out forms, links, javascript (?!) ...) it just opened up as a gigantic portal attack vector.
(Score: 2) by bzipitidoo on Friday February 26 2021, @05:47PM (2 children)
Any Turing complete language is going to have vulnerabilities.
As to the features, we do need something that can handle forms. Forms are the lifeblood of much business. PDF isn't great at it, but there aren't alternatives. Epub doesn't do forms. There's this DjVu format that is, shamefully, even more bloated than PDF. They claim otherwise, of course. At least PDF can maintain the text. Far as I can tell, DjVu turns everything into pictures. No text selection and copying from a DjVu document! Doesn't do forms either.
As for signing, I recently learned of a distinction. Digital signatures are the provably valid ones. There is also the e-signature, which is a totally lame fake handwritten sig. Basically, all you do is pick a font that sort of looks like your handwriting, and type in your name. They freaking use that for big purchases, such as buying a home. Can also scan or photograph your signature and use that as a digital rubber stamp, but the font looks like the more common approach.
We could really use a better standard than PDF. Some of the things that you might want to do to a PDF can only be done by Adobe's commercialized to the max software that they won't simply sell to users, no, you have to pay every month, and create an account, and all that. And PDF has long been notorious for bloat.
Also, PDF was never intended to be editable, but all the time, people want to edit them. Some things can be done, minor edits aren't too hard to do, but in general, it's not much good. You'd really, really rather have the original document from which the PDF was generated, but there, trying to get businesses to give those out is like pulling teeth. They don't want to do that. They don't. The office flunkies who prepared the documents fear that giving out the original will imperil their jobs, and will do everything they can to stymie and refuse requests for that. Teey'll play stupid. They'll give you the PDF version again, and say they gave you what you wanted. And their employers also don't want to give the originals out, for fear it will help their competitors. It's not like a form is all that hard to recreate from scratch, but it is enough of an obstacle to discourage most such efforts.
There is software that extracts text and tries to intelligently convert PDF to a more editable format, but those are all pretty feeble, relying on heuristics that are wrong more often than not. Really need AI to do a decent job on a task like that.
So instead, at some point in the chain of edits and changes and filling in of blanks, the PDF is all too apt to be turned into a series of scanned raster images. Which defeats what little point there is to having the PDF format.
(Score: 2) by FatPhil on Friday February 26 2021, @10:07PM (1 child)
What?
WHAT??
WAAAAAAT??!??!?!?!?!
Pretty much the opposite.
Any language that is just turing complete, and nothing more, will have no vulnerabilities, as there's no way of getting it to do anything outside its design parameters. It's when you start sticking in things that are nothing to do with turing completeness, such as an alternate input or output mechanism, that you get the vulnerabilities. And those can be exploited even in non-turing-complete languages. It was not the turing completeness that was the problem, it was the other features.
Prove me wrong by exploiting the turing machine that halts instantly on any read symbol, which is undeniably a program written in a turing complete language.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by bzipitidoo on Saturday February 27 2021, @01:51AM
Of course a Turing complete language is less secure! But it's not that the mere fact of having Turing completeness is inherently less secure and somehow adds vulnerability. No. It is simply because it is more powerful. Has more potential, more capability.
People have tried to make languages and machines more secure by purposely insuring they were not Turing complete. For instance, SQL. However, this has largely been futile. Turing completeness is such an incredibly low bar that it takes much careful checking to keep that capability out of a language.
(Score: 0) by Anonymous Coward on Friday February 26 2021, @08:36PM
Is there a program that strips all features, leaving the document? Or, is there a PDF reader with a flag that disables all extraneous "features"?
I've noticed Internet connections from Okular while using it to view PDF files. I haven't found a way for SELinux to cage specific applications, keeping Okular off the 'net.
(Score: -1, Troll) by Ethanol-fueled on Thursday February 25 2021, @11:50PM (4 children)
Flash and PDF are old attack vectors. What I'd worry about more are Jews working for Raytheon and other places in Israel, both of which regularly launch bot-farms and outright infrastructure attacks on domestic America, with their other more domestic Jew buddies of course launching complementary domestic PR campaigns to blame those attacks on Russia and White Supremacy.
Vulnerabilities in computing will always exist as long as Jews are entrenched in computing and government.
(Score: 0, Flamebait) by Runaway1956 on Friday February 26 2021, @12:00AM (1 child)
COME ON MAN!!! Jews working for Raytheon is an older attack vector than Flash or PDF! Y U No Like Jews? Y U No Like Raytheon?
(Score: -1, Flamebait) by Ethanol-fueled on Friday February 26 2021, @12:24AM
There are two most evil industries in America: the Military Industrial Complex, and Big Pharma.
Both are Jew-run. The third and fourth most evil industries in America are finance and media. Both are Jew-run.
There are some good Jews, like Daniel Ellsberg, Bobby Fischer, Glenn Greenwald, Max Blumenthal, ̶B̶i̶l̶l̶y̶ ̶J̶o̶e̶l̶, * ̶N̶o̶a̶m̶ ̶C̶h̶o̶m̶s̶k̶y̶. **
(Score: 0) by Anonymous Coward on Friday February 26 2021, @06:26PM
Jew this, jew that. You're so boring. And your penis is tiny.
(Score: 0) by Anonymous Coward on Saturday February 27 2021, @02:53PM
Hey, haven't seen you in a while around here. Looks like you switched back to your old meds.
(Score: 2, Insightful) by Anonymous Coward on Thursday February 25 2021, @10:18PM (3 children)
Maybe you should just send "sign" it with PGP rather than the PDF internal signature that doesn't checksum the entire document.
(Score: 2) by Rosco P. Coltrane on Thursday February 25 2021, @10:26PM
Exactly what I was thinking. Digitally signing a file is best done with a dedicated, external utility that ensures the bitwise integrity of the entire file. Once you start doing the signing at a higher level and let certain operations be carried out in the signed file, shit will inevitably happen.
(Score: 2) by sjames on Thursday February 25 2021, @10:28PM
This! The problem with "signed" PDF documents is that they chose simplicity and expediency over security for something where security REALLY matters a lot (at least in some cases).
(Score: 5, Insightful) by rigrig on Friday February 26 2021, @08:44AM
Yes, but the problem is people want to stick with PDF files because of convenience:
If you want to "just sign it with PGP" you either have to handle two files (document+signature), or come up with some sort of container format which contains both files and extract them every time you want to read it.
No one remembers the singer.
(Score: 0) by Anonymous Coward on Thursday February 25 2021, @10:19PM (2 children)
Those who overcomplexify things without a reason, are suffering the consequences since hardware first allowed such a folly, now 30 years at the least.
It conclusively demonstrates that people never learn from mistakes, theirs or anybody else's, unless held personally responsible for the consequences of their actions and decisions.
In case they are, however, then unlikeliest persons exhibit unimaginable feats of understanding and learning.
(Score: 0) by Anonymous Coward on Thursday February 25 2021, @10:45PM (1 child)
(Score: -1, Flamebait) by Ethanol-fueled on Friday February 26 2021, @12:37AM
I know exactly who you're talking about. There are 90 year old Jewish account managers managing millions in New York City, but they are drooling all over themselves and shitting their britches. I was lucky to have dinner with one of them, and we were deep into conversation when suddenly his eyes rolled back into his head with his tongue sticking out and drooling, with a "Wgoooooooookpfhyfblflphpflbfpfplhplfghl" noise coming from under the table. Shortly afterward as we all sat in horrified silence, a waft of sterile diaper scent ruined dinner for all at the table.
The 90 year-old Jewish banker, clearly used to this, whispered to his assistant, "Dinnertime is over, please take me up to my penthouse with my tarp and favorite shittin' escort. I still have a little pants-chili left for that goddamn Shiksa."
The only problem with old people is that their hearing goes and they speak loudly when they think they're not. So when that guy was whispering, he was really speaking loudly to the rest of the dinner table. His little monologue excited the other Jews at the table, who wanted to be in a hurry with shitting on their own escorts. I thought I had it made during a dinner business deal, but after that disgusting spectacle I flew out of La Guardia and never set foot anywhere near that city ever again.
(Score: 2) by Lester on Saturday February 27 2021, @03:28PM
Readers should add a show/hide visible signature, that is overlay shown when signed.