| Title | Shadow Attacks let Attackers Replace Content in Digitally Signed PDFs | |
| Date | Thursday February 25 2021, @09:52PM | |
| Author | martyb | |
| Topic | ||
| from the WYSINWYG dept. | ||
Shadow Attacks Let Attackers Replace Content in Digitally Signed PDFs:
Called "Shadow attacks" by academics from Ruhr-University Bochum, the technique uses the "enormous flexibility provided by the PDF specification so that shadow documents remain standard-compliant."
The findings were presented yesterday at the Network and Distributed System Security Symposium (NDSS), with 16 of the 29 PDF viewers tested — including Adobe Acrobat, Foxit Reader, Perfect PDF, and Okular — found vulnerable to shadow attacks.
To carry out the attack, a malicious actor creates a PDF document with two different contents: one which is the content that's expected by the party signing the document, and the other, a piece of hidden content that gets displayed once the PDF is signed.
"The signers of the PDF receive the document, review it, and sign it," the researchers outlined. "The attackers use the signed document, modify it slightly, and send it to the victims. After opening the signed PDF, the victims check whether the digital signature was successfully verified. However, the victims see different content than the signers."
In the analog world, the attack is equivalent to deliberately leaving empty spaces in a paper document and getting it signed by the concerned party, ultimately allowing the counterparty to insert arbitrary content in the spaces.
Shadow attacks build upon a similar threat devised by the researchers in February 2019, which found that it was possible to alter an existing signed document without invalidating its signature, thereby making it possible to forge a PDF document.
[...] At its core, the attacks leverage "harmless" PDF features which do not invalidate the signature, such as "incremental update" that allows for making changes to a PDF (e.g., filling out a form) and "interactive forms" (e.g., text fields, radio buttons, etc.) to hide the malicious content behind seemingly innocuous overlay objects or directly replace the original content after it's signed.
A third variant called "hide and replace" can be used to combine the aforementioned methods and modify the contents of an entire document by simply changing the object references in the PDF.
See the original story for pictures which help explain the attack as well as the list of vulnerable applications and versions thereof on Windows, macOS, and Linux. Several other PDF vulnerabilities and corresponding CVEs are also listed.
| Links |
printed from SoylentNews, Shadow Attacks let Attackers Replace Content in Digitally Signed PDFs on 2024-04-20 04:28:28