Vul­nerabi­li­ty Re­port At­tacks by­pas­sing the si­gna­tu­re va­li­da­ti­on in PDF (Shadow At­tacks)

Chris­ti­an Main­ka, Vla­dis­lav Mla­de­nov, Simon Rohl­mann, Jörg Schwenk

Ab­stract

Di­gi­tal­ly si­gned PDFs are used in contracts, bills, and agree­ments to gua­ran­tee the au­then­ti­ci­ty and in­te­gri­ty of their con­tent. A ty­pi­cal user would as­su­me that di­gi­tal­ly si­gned PDF files are final and can­not be fur­ther mo­di­fied. Howe­ver, va­rious chan­ges like ad­ding an­no­ta­ti­ons to a si­gned PDF or fil­ling out form fields are al­lo­wed and do not in­va­li­da­te PDF si­gna­tu­res.

In this re­port, we show that this fle­xi­bi­li­ty al­lows at­ta­ckers to com­ple­te­ly chan­ge a do­cu­ment’s con­tent while ke­eping the ori­gi­nal si­gna­tu­re va­li­da­ti­on sta­tus un­tou­ched. Our at­tacks work in a novel at­ta­cker model, which al­lows at­ta­ckers hiding con­tent in a PDF. After si­gning this PDF by a be­nign en­t­i­ty, the at­ta­ckers re­veal the hi­d­den con­tent by using per­mit­ted ma­ni­pu­la­ti­ons. Our re­sults re­veal that out of 27 tested PDF view­ers, 15 of them.

Tags: