New ‘Shadow Attack’ can replace content in digitally signed PDF files


Fifteen out of 28 desktop PDF viewer purposes are susceptible to a brand new assault that lets malicious risk actors modify the content material of digitally signed PDF paperwork.

The checklist of susceptible purposes contains Adobe Acrobat Professional, Adobe Acrobat Reader, Good PDF, Foxit Reader, PDFelement, and others, in accordance with new analysis [PDF] printed this week by teachers from the Ruhr-College Bochum in Germany.


Picture: Mainka et al.

Lecturers have named this method of forging paperwork a Shadow Assault.

The primary thought behind a Shadow Assault is the idea of “view layers” — totally different units of content material which can be overlaid on prime of one another inside a PDF doc.

A Shadow Assault is when a risk actor prepares a doc with totally different layers and sends it to a sufferer. The sufferer digitally indicators the doc with a benign layer on prime, however when the attacker receives it, they alter the seen layer to a different one.

As a result of the layer was included within the authentic doc that the sufferer signed, altering the layer’s visibility does not break the cryptographic signature and permits the attacker to make use of the legally-binding doc for nefarious actions — akin to changing the fee recipient or sum in a PDF fee order or altering contract clauses.


Exchange variant of a Shadow Assault

Picture: Mainka et al.

In accordance with the analysis staff three variants of a Shadow Assault exist:

  • Conceal — when attackers use the PDF normal’s Incremental Replace function to cover a layer, with out changing it with anything.
  • Exchange — when attackers use the PDF normal’s Interactive Varieties function to switch the unique content material with a modified worth.
  • Conceal-and-Exchange — when attackers use a second PDF doc contained within the authentic doc to switch it altogether.

Conceal-and-Exchange variant of a Shadow Assault

Picture: Mainka et al.

“The Conceal-and-Exchange assault variant is essentially the most highly effective one because the content material of your entire doc could be exchanged,” the analysis staff says.

“The attacker can construct an entire shadow doc influencing the presentation of every web page, and even the entire variety of pages, in addition to every object contained therein.”

Researchers say that Shadow Assaults are doable as a result of PDF paperwork, even when digitally signed, permit unused PDF objects to be current inside their content material.

PDF viewer apps that take away unused PDF objects when signing a doc are resistant to Shadow Assaults.

Patches can be found

The analysis staff mentioned they labored with the CERT-Bund (Pc Emergency Response Crew of Germany) to contact PDF app makers to report this new assault vector and have it patched earlier than going public with their findings earlier this week.

The Shadow Assault is presently tracked with the CVE-2020-9592 and CVE-2020-9596 identifiers.

Corporations ought to replace their PDF viewer apps to ensure the PDF paperwork they signal cannot be tampered with by way of a Shadow Assault.

That is the second time that this exact same analysis staff has damaged digital signatures for PDF viewer purposes. In February 2019, the identical staff broke the digital signing mechanism on 21 of 22 desktop PDF viewer apps and 5 of seven on-line PDF digital signing companies to create paperwork with faux signatures.

Their new Shadow Assault is totally different from their first as a result of it does not tamper with the digital signature, as the primary assault, however with the content material of the PDF with out breaking the signature.

As well as, the identical analysis staff additionally found PDFex, a method to interrupt the encryption on 27 PDF viewer purposes and extract information from inside encrypted paperwork.


Please enter your comment!
Please enter your name here