The Portable Document Format (PDF) file type is one of the most common file formats in use today. It’s value comes from the fact that PDFs always print the same way, and that PDFs are supposed to be read-only (unlike a Word document, say, which is designed to be easy to edit). This immutability can be assured by password protection and digital signing.

PDFs are used extensively in the legal, medical and real-estate industries, but are also seen in education, small businesses and other sectors. The format’s popularity really took off when Adobe released it as an open standard in around 2008, which untethered it from the company’s Acrobat software.

PDF security

PDF files can be password protected so that only people with the password can read the content of the file. However, for anyone that knows the password it’s trivial to remove the password or create an identical file that is not password protected.

Certified PDFs

PDFs can be digital signed, which indicates that the signer approves of its contents. The PDF specification defines two different types of digital signatures to guarantee the authenticity and integrity of documents:

  • Approval signatures testify one specific state of the PDF document. If the document is changed the signature becomes invalid.
  • Certification signatures allow for specific changes to a signed document without invalidating the signature. You can specify the types of changes that are permitted for the document to remain certified. For example, a sender can specify that a signature from a receiver in the designated field does not invalidate the certification. This way the sender can be sure that when they receive the signed copy that the signature was the only change in the document. Certifying signatures can be visible or invisible.

Digital signatures

You cannot remove a digital signature from a PDF unless you are the one who placed it and you have the digital ID for signing it installed. Each time a document is signed using a certificate, a signed version of the PDF at that time is saved with the PDF. Each version is saved as append-only and the original cannot be modified. After a document is signed, you can display a list of the changes made to the document after the last version.

Secretly changing signed documents

Researchers working at the Ruhr University Bochum (Germany) however, have presented two possible attacks where the content of the PDF document can be altered by the receiver in such a way that the changes are undetectable, either in all PDF applications or in a subset of them. The names that they gave to these two attacks are:

  • Evil Annotation Attack (EAA)
  • Sneaky Signature Attack (SSA)

Both vulnerabilities allow an attacker to change the visible content of a PDF document by displaying unauthorized content over the certified content. However, the certification remains valid and the application shows no warnings that unauthorized changes were made.

The success of these attacks depends on the specific PDF viewer. These applications are supposed to alert the reader to any unauthorized changes. The researchers evaluated 26 popular PDF viewers. They were able to break the security of certified documents in 15 of them with EAA. Eight applications were vulnerable to SSA. Only two were not fooled by either attack. The researchers responsibly disclosed these issues and supported the vendors to fix the vulnerabilities.

An additional code injection attack

An incremental update introduces a possibility to extend a PDF by appending new information at the end of the file. The original document stays unmodified and a revision history of all document changes is kept. An example of an Incremental Update is the inclusion of an certification, signature, annotation, or the filling out forms within a PDF.

Only certified documents are allowed to execute high privileged JavaScript code in Adobe products, but the research shows that such code is also executed if it is added as an allowed incremental update. This  allows attackers to directly embed malicious code into a certified document. If you’re wondering why that’s bad, consider that we are now into our fourth decade of malicious Microsoft Office macros.

Permission levels for certified documents

The certifier has a choice of three different permission levels to allow different modifications:

  • P1: No modifications on the document are allowed.
  • P2: Filling out forms, and digitally signing the document are allowed.
  • P3: In addition to P2, annotations are also allowed.

Annotations introduce a different method for a user input by allowing a user to put remarks in a PDF document like text highlighting, strikeouts, or sticky notes. Annotations are not limited to predefined places within the PDF and can be applied everywhere within the document.

Evil Annotation Attack (EAA) breaks P3

The researchers found three types of annotations capable of hiding and adding text and images. All three can be used to stealthily modify a certified document and inject malicious content. To execute the attack, the attacker modifies a certified document by including the annotation with the malicious content at a position of the attacker’s choice. According to the researchers, a victim would have to manually inspect UI-Layer 3 or click on the annotation to detect the modification. And the attacker could even lock an annotation to disable clicking on it.

Sneaky Signature Attack (SSA) breaks P2

The idea of the Sneaky Signature Attack is to manipulate the appearance of arbitrary content within the PDF by adding overlaying signature elements to a PDF document that is certified at level P2. The attacker modifies a certified document by including a signature field with the malicious content at a position of an attacker’s choice. The attacker then needs to sign the document, but does not need to possess a trusted key. A self-signed certificate for SSA is sufficient.

Vulnerabilities

The researchers used additional techniques to make their attacks even less easy to detect. What the attacks reveal is that signatures and annotations can:

  • Be customized to appear as a normal text/images above the signed content.
  • Be made indistinguishable from the original content.
  • And their indications can be hidden from UI layers.

Using EAA and SSA to inject JavaScript

For annotations and signature fields, it is possible to pass a reference to an object containing JavaScript. It is possible to trigger the code execution when opening the page. The victim is unable to prevent this. The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDF document.

PDF specification

By design, certified documents enable complex and highly desired use-cases and the devil here seems to be in the specification details, which runs to 994 pages! The specification will need to be updated to address the issues found by these researchers. It perhaps also needs simplifying, to avoid further unintended consequences.

For more technical details and the research methodology we advise interested readers to go over the original paper (pdf). You will also be able to find out how your favorite application handles these issues.