New Attacks Show Signed PDF Documents Cannot Be Trusted
Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.
PDF signatures, which rely on cryptographic operations, are widely used by organizations around the world to ensure that their documents are protected against unauthorized modifications. Many governments sign their official documents, researchers often sign scientific papers, and major companies such as Amazon are known to sign documents such as invoices. If a signed document has been changed, its signature should become invalid.
However, the researchers from Ruhr-University Bochum have demonstrated that a vast majority of PDF viewers and online validation services are vulnerable to at least one of the three PDF signature spoofing attack methods they have identified.
The experts showed that an unauthorized user could leverage various techniques to make changes to a PDF document without invalidating its signature.
The list of vulnerable applications includes Adobe Reader, Foxit Reader, LibreOffice, Nitro Reader, PDF-XChange and Soda PDF, which are some of the most popular PDF readers. The list of affected validation services includes DocuSign, eTR Validation Service, DSS Demonstration WebApp, Evotrust, and VEP.si.
The only application that was not vulnerable to at least one type of attack was Adobe Reader 9 running on Linux, while the only non-vulnerable online service was the 5.4 version of the DSS Demonstration WebApp. The researchers have been working with CERT-Bund, Germany’s governmental CERT, to notify impacted vendors and provide them the information needed to address the issues. While some online services have yet to roll out patches, all of the companies providing PDF viewing apps have released fixes.
The three attack methods identified by researchers have been named Universal Signature Forgery (USF), Incremental Saving Attack (ISA), and Signature Wrapping Attack (SWA).
In the case of USF, an attacker can manipulate meta information in the signature so that the application used to open the altered PDF finds the signature, but not the data needed for validation. Despite the missing information, the signature is still showed as valid by some applications, such as Acrobat Reader DC and Reader XI.
The ISA attack, which affects many of the tested apps and services, leverages a legitimate feature in the PDF specification. This feature allows files to be updated by appending changes, such as storing annotations or adding new pages to the document. An attacker can modify a document by making changes to an element that is not part of the signature integrity protection.
Finally, the SWA attack, which impacts many PDF apps and some online validation services, forces the signature verification logic to process different data by “relocating the originally signed content to a different position within the document and inserting new content at the allocated position.”