Your refund is: $ 1,000,000,000 (One Trillion USD)
HOW TO BREAK PDF SECURITY
How to Break PDF Signature / How to Break PDF Encryption
Karsten Meyer zu Selhausen Jens Müller, Christian Mainka, Fabian Ising, Sebastian Schinzel
Vladislav Mladenov, Martin Grothe, Jörg Schwenk This Talk
Digital Signature Encryption
Signature Validation Panel Signature Form Field
27.12.2019 How To Break PDF Security 2 PDF Basics “Everything you need to spoof PDF Signatures”
27.12.2019 How To Break PDF Security 3 Portable Document Format (PDF)
FIRST VERSION RELEASED IN 1.6 BILLION PDF DOCUMENTS ON THE WEB IN 2015
1993 USED BY BY ADOBE ~99% COMPANIES AND GOVERNMENTAL PDF-2.0 INSTITUTIONS WORLDWIDE RELEASED IN 2017, LAST VERSION FROM ADOBE
27.12.2019 How To Break PDF Security 4
Portable Document Format (PDF)
27.12.2019 How To Break PDF Security 6 PDF File Structure
27.12.2019 How To Break PDF Security 7 PDF File Structure
27.12.2019 PDF File Structure
%PDF-1.4 Header 1 0 obj << /Type /Catalog /Pages 2 0 R >> endobj 2 0 obj << /Count 1 /Type /Pages /Kids [3 0 R] >> Body endobj 3 0 obj << /Type /Page /Parent 2 0 R /Contents 4 0 R >> endobj XRef Section 4 0 obj (Hello World) endobj Trailer xref First Object with ID 0 0 5 5 entries 000000000 00000 f 000000009 00000 n 000000058 00000 n Object 4 0 is located at byte 000000121 00000 n offset 184 is in use „n“ 000000184 00000 n trailer << /Root 1 0 R /Size 5 >> startxref 275 %%EOF 27.12.2019 How To Break PDF Security 9 Incremental Update
Header • Prominent example: PDF Annotations
Body
XRef Section
Trailer
Body Updates
Updated Xref Section
Updated Trailer
27.12.2019 How To Break PDF Security 10 Incremental Update
%PDF-1.4 Header 1 0 obj (/Catalog) endobj 2 0 obj (/Pages) endobj 3 0 obj (/Page) endobj 4 0 obj … (Hello World) Body endobj xref 0 5 Trailer XRef Section … %%EOF 4 1 obj Trailer … (Hello 36C3!) endobj xref Body Updates 4 1 00000300 00001 n trailer << /Root 1 0 R /Size 5 /Prev 275 >> Updated Xref Section startxref 375 %%EOF Updated Trailer
27.12.2019 How To Break PDF Security 11 PDF Signatures
27.12.2019 How To Break PDF Security 12 This talk is about PDF Digital Signatures This talk
Electronic Signature Digital Signature
Electronic Signature Signature Validation Panel Signature Form Field
27.12.2019 How To Break PDF Security 13 How to create a PDF Signature
%PDF-1.4 Header Header 1 0 obj (/Catalog) endobj Body Body 2 0 obj (/Pages) endobj 3 0 obj (/Page) endobj 4 0 obj
XRef Section XRef Section signature … (Hello World) endobj Trailer Trailer the
by xref Body Updates 0 5 Trailer Updated Xref Section …
Protected %%EOF Updated Trailer New Catalog PDF Signature Objects
xref 6 5 ..... trailer … Signed PDF %%EOF
27.12.2019 How To Break PDF Security 14 PDF Signature Spoofing Goals and Prerequisites
27.12.2019 How To Break PDF Security 15 PDF Signature Spoofing
Attacker Victim
ManipulatedSigned SignedPDF PDF Manipulated Signed PDF Indistinguishable Sig. Details
INVOICE Your refund is:
Seller: Amazon EU S.à r.l $ 1,000,000,000 Date: 12.11.2019 Amount: 123,99 € (One Trillion USD)
Different Content
27.12.2019 How To Break PDF Security 16 PDF Signature Spoofing Three novel attack classes • Attack Class #1: Incremental Saving Attacks • Attack Class #2: Signature Wrapping Attacks • Attack Class #3: Universal Signature Forgery
27.12.2019 How To Break PDF Security 17 Attack Class #1/3: Incremental Saving Attack Abuse „Incremental Saving“ • Add/remove content • Keep signature valid
27.12.2019 How To Break PDF Security 18 Incremental Saving Attack
Header Body
Xref Table signature
Trailer the by Body Updates
Xref Table Protected Trailer
Body Updates
Xref Table Apply “trivial” Update Trailer
27.12.2019 How To Break PDF Security 19 Incremental Saving Attack
Header Header Header Header
Body Body Body Body
signature signature signature
Xref Table Xref Table Xref Table signature Xref Table
the the the
Trailer Trailer Trailer the Trailer
by by
by by Body Updates Body Updates Body Updates Body Updates
Xref Table Xref Table Xref Table Xref Table
Protected Protected
Protected Protected Trailer Trailer Trailer Trailer
Body Updates Body Updates Body Updates Body Updates + Signature Object Xref Table Trailer
Trailer
27.12.2019 How To Break PDF Security 20 Inc. Saving Attack: 11/22 Apps are Vulnerable Product ISA Adobe Reader DC ○ Evaluation results Adobe Reader 9 ○ ● Full Signature Bypass Adobe Reader XI ○ eXpert PDF 12 Ultimate ○ ◐ Limited Signature Bypass Expert PDF Reader ○ ○ Foxit Reader ● Not vulnerable LibreOffice (Draw) ◐ Master PDF Editor ● Nitro Pro ◐ Nitro Reader ◐ Nuance Power PDF Standard ○ PDF Architect 6 ○ PDF Editor 6 Pro ◐ PDFelement 6 Pro ◐ PDF Studio Viewer 2018 ● PDF Studio Pro ● PDF-Xchange Editor ○ PDF-Xchange Viewer ○ Perfect PDF 10 Premium ● Perfect PDF Reader ● Soda PDF Desktop ○ Soda PDF ○ Total 11/22 21 Attack Class #2/3: Signature Wrapping Attack Manipulate the signed ByteRange values Allocate space to inject malicious content
27.12.2019 How To Break PDF Security 22 Signature Wrapping Attack
a %PDF-1.7 Original Document 1 0 obj Catalog b Further Objects 5 0 obj Signature /Contents <324d3 ….770000000000000000 00000000000000000000 0000000000000000000> c /ByteRange [a b c d] xref d trailer %%EOF
27.12.2019 How To Break PDF Security 23 Signature Wrapping Attack
a a %PDF-1.7 %PDF-1.7 Original Document Original Document 1 0 obj Catalog 1 0 obj Catalog b b Further Objects Further Objects 5 0 obj Signature 5 0 obj Signature /Contents <324d3 /Contents <324d3 ….770000000000000000 ….770000000000000000 00000000000000000000 00000000000000000000 0000000000000000000> 0000000000000000000> c c /ByteRange [a b c d] /ByteRange [a b c d] xref xref d trailer d trailer %%EOF %%EOF
27.12.2019 How To Break PDF Security 24 Signature Wrapping Attack
a a %PDF-1.7 %PDF-1.7 Original Document Original Document 1 0 obj Catalog 1 0 obj Catalog b b Further Objects Further Objects 5 0 obj Signature 5 0 obj Signature /Contents <324d3 /Contents <324d3 ….770000000000000000 ….770000000000000000 00000000000000000000 00000000000000000000 0000000000000000000> 0000000000000000000> c /ByteRange [a b c d] xref c d trailer /ByteRange [a b c d] %%EOF xref d trailer %%EOF
27.12.2019 How To Break PDF Security 25 Signature Wrapping Attack
a a %PDF-1.7 %PDF-1.7 Original Document Original Document 1 0 obj Catalog 1 0 obj Catalog b b Further Objects Further Objects 5 0 obj Signature 5 0 obj Signature /Contents <324d3 /Contents/Contents <324d3<324d3 ….77> ….770000000000000000 ….770000000000000000/ByteRange [a b c* d] 00000000000000000000 00000000000000000000 0000000000000000000> 0000000000000000000>Malicious Objects c /ByteRange [a b c d] Padding xref Malicious xref c*c d trailer /ByteRange [a b c d] %%EOF xref trailer d %%EOF
27.12.2019 How To Break PDF Security 26 Signature Wrapping: 17/22 Apps are Vulnerable Product ISA SWA Adobe Reader DC ○ ○ Evaluation results Adobe Reader 9 ○ ○ ● Full Signature Bypass Adobe Reader XI ○ ● eXpert PDF 12 Ultimate ○ ● ◐ Limited Signature Bypass Expert PDF Reader ○ ● ○ Foxit Reader ● ● Not vulnerable LibreOffice (Draw) ◐ ○ Master PDF Editor ● ○ Nitro Pro ◐ ● Nitro Reader ◐ ● Nuance Power PDF Standard ○ ● PDF Architect 6 ○ ● PDF Editor 6 Pro ◐ ● PDFelement 6 Pro ◐ ● PDF Studio Viewer 2018 ● ● PDF Studio Pro ● ● PDF-Xchange Editor ○ ● PDF-Xchange Viewer ○ ● Perfect PDF 10 Premium ● ● Perfect PDF Reader ● ● Soda PDF Desktop ○ ● Soda PDF ○ ● Total 11/22 17/22 27 Attack Class #3/3: Universal Signature Forgery Disable signature validation But show „PDF is validly signed“
27.12.2019 How To Break PDF Security 28 Universal Signature Forgery
10 0 obj (Signature) /Contents
10 0 obj (Signature) 10 0 obj (Signature) 10 0 obj (Signature) 10 0 obj (Signature) ____ /Contents ____ /Contents null /Contents 0x00
/ByteRange [a b c d] /ByteRange [a b c d] /ByteRange [a b c d] /ByteRange [a b c d]
10 0 obj (Signature) 10 0 obj (Signature) 10 0 obj (Signature) 10 0 obj (Signature) /Contents sig.value /Contents sig.value /Contents sig.value /Contents sig.value
____ /ByteRange ____ /ByteRange null /ByteRange [a –b c d]
27.12.2019 How To Break PDF Security 29 Universal Sig. Forgery: 4/22 Apps are Vulnerable Product ISA SWA USF Adobe Reader DC ○ ○ ● Evaluation results Adobe Reader 9 ○ ○ ○ ● Full Signature Bypass Adobe Reader XI ○ ○ ● eXpert PDF 12 Ultimate ○ ● ○ ◐ Limited Signature Bypass Expert PDF Reader ○ ● ○ ○ Foxit Reader ● ● ○ Not vulnerable LibreOffice (Draw) ◐ ○ ○ Master PDF Editor ● ○ ○ Nitro Pro ◐ ● ○ Nitro Reader ◐ ● ○ Nuance Power PDF Standard ○ ● ○ PDF Architect 6 ○ ● ○ PDF Editor 6 Pro ◐ ● ◐ PDFelement 6 Pro ◐ ● ◐ PDF Studio Viewer 2018 ● ● ○ PDF Studio Pro ● ● ○ PDF-Xchange Editor ○ ● ○ PDF-Xchange Viewer ○ ● ○ Perfect PDF 10 Premium ● ● ○ Perfect PDF Reader ● ● ○ Soda PDF Desktop ○ ● ○ Soda PDF ○ ● ○ Total 11/22 17/22 4/22 31 Evaluation Summary: 21/22 Apps are Vulnerable Product ISA SWA USF Summary Adobe Reader DC ○ ○ ● ● Evaluation results Adobe Reader 9 ○ ○ ○ ○ ● Full Signature Bypass Adobe Reader XI ○ ● ● ● eXpert PDF 12 Ultimate ○ ● ○ ● ◐ Limited Signature Bypass Expert PDF Reader ○ ● ○ ● ○ Foxit Reader ● ● ○ ● Not vulnerable LibreOffice (Draw) ◐ ○ ○ ● Master PDF Editor ● ○ ○ ● Nitro Pro ◐ ● ○ ● Nitro Reader ◐ ● ○ ● Nuance Power PDF Standard ○ ● ○ ● PDF Architect 6 ○ ● ○ ● PDF Editor 6 Pro ◐ ● ◐ ● PDFelement 6 Pro ◐ ● ◐ ● PDF Studio Viewer 2018 ● ● ○ ● PDF Studio Pro ● ● ○ ● PDF-Xchange Editor ○ ● ○ ● PDF-Xchange Viewer ○ ● ○ ● Perfect PDF 10 Premium ● ● ○ ● Perfect PDF Reader ● ● ○ ● Soda PDF Desktop ○ ● ○ ● Soda PDF ○ ● ○ ● Total 11/22 17/22 4/22 21/22 32 PDF Encryption
27.12.2019 How To Break PDF Security 33 PDFex
• Attack with a logo • Novel attack techniques targeting PDF encryption • Direct exfiltration • Malleability gadgets
27.12.2019 How To Break PDF Security 34 PDF: the de-facto standard for office documents
SUPPORTS AES ENCRYPTION
USES AES is good. WITH CBCNothing can go wrong.NO MAC MODE OF OPERATION (OR ANY INTEGRITY PROTECTION)
27.12.2019 How To Break PDF Security 35
Who uses PDF Encryption? Source: Kreissparkasse Stade
27.12.2019 How To Break PDF Security 36 Who uses PDF Encryption?
Source: Encryptomatic LCC
27.12.2019 How To Break PDF Security 37
Who uses PDF Encryption? Source: Sharp Corporation
27.12.2019 How To Break PDF Security 38
Who uses PDF Encryption?
Justice
of Source: US Department
27.12.2019 How To Break PDF Security 39 Attacker Model
27.12.2019 How To Break PDF Security 40 Attacker Model
Alice Bob
27.12.2019 How To Break PDF Security 41 Attacker Model
Storage
27.12.2019 How To Break PDF Security 42 Attacker Model
Password: ******
27.12.2019 How To Break PDF Security 43 Attacking PDF Encryption Direct Exfiltration
27.12.2019 How To Break PDF Security 44 PDF Encryption in a Nutshell
27.12.2019 How To Break PDF Security 45 Gaps in PDF Encryption
•Document structure is unencrypted! • Only strings and streams are encrypted
•Reveals a lot information • Number/size of pages/objects/links/…
27.12.2019 How To Break PDF Security 46 Gaps in PDF Encryption
• Support for partial encryption! • Attacker‘s content can be mixed with actually encrypted content
We found 18 different techniques!
27.12.2019 How To Break PDF Security 47 27.12.2019 How To Break PDF Security 48 Direct Exfiltration
Can we somehow exfiltrate the plaintext?
27.12.2019 How To Break PDF Security 49 Direct Exfiltration
27.12.2019 How To Break PDF Security 50 Direct Exfiltration through PDF Forms
27.12.2019 How To Break PDF Security 51 27.12.2019 How To Break PDF Security 52 Direct Exfiltration via Hyperlinks
27.12.2019 How To Break PDF Security 53 Direct Exfiltration with JavaScript
27.12.2019 How To Break PDF Security 54 Attacking PDF Encryption Malleability Gadgets
27.12.2019 How To Break PDF Security 55 MalleabilityMalleability GadgetsGadgets
Ciphertext Malleability
Known Plaintext
Exfiltration Channel
27.12.2019 How To Break PDF Security 56 MalleabilityMalleability GadgetsGadgets
Ciphertext Malleability
Known Plaintext
Exfiltration Channel
27.12.2019 How To Break PDF Security 57 CBC Malleability
퐼푉 퐶0 퐶1
Decryption Decryption
BT\n/F1 22 Tf\n 70 750 Td 푃0 푃1 58 CBC Malleability
퐼푉′ 퐶0 퐶1
Decryption Decryption
ZT\n/F1 22 Tf\n 70 750 Td ′ 푃0 푃1 59 CBC Malleability Gadget 퐼푉⊕푃0 퐶0 퐶1
Decryption Decryption
00 00 00 00 00 00 00 00 70 750 Td 푃0⨁푃0 푃1 60 CBC Malleability
퐼푉⊕푃0⊕푃푐 퐶0 퐶1
Decryption Decryption
(http://p.df/ 70 750 Td 푃푐 푃1 61 CBC Malleability
퐶푛−1 퐼푉⊕푃0⊕푃푐 퐶0
Decryption Decryption Decryption
70 750 Td Random (http://p.df/ 푃푛−1 푃퐶 62 MalleabilityMalleability GadgetsGadgets
Ciphertext Malleability
Known Plaintext
Exfiltration Channel
27.12.2019 How To Break PDF Security 63 Known Plaintext
known plaintext by design
27.12.2019 How To Break PDF Security 64 Known Plaintext
Document wide Key
27.12.2019 How To Break PDF Security 65 Add Encrypt permissions them to to the PDF prevent Format tampering
Known Known plaintext is plaintext is available to available to attackers! attackers! MalleabilityMalleability GadgetsGadgets
Ciphertext Malleability
Known Plaintext
Exfiltration Channel
27.12.2019 How To Break PDF Security 67
Evaluation
27.12.2019 How To Break PDF Security 69 Platform Application Direct Exfiltration Malleability Gadgets Acrobat Reader DC ● ◐ Foxit Reader ◐ ◐ PDF-XChange Viewer ● ◐ Perfect PDF Reader ● ● Evaluation results PDF Studio Viewer ● ● ● Exfiltration (no user interaction) Nitro Reader ● ● Acrobat Pro DC ● ◐ ◐ Exfiltration (with user interaction) Foxit PhantomPDF ◐ ◐ ○ No exfiltration / not vulnerable PDF-XChange Editor ● ◐ Windows Perfect PDF Premium ● ● PDF Studio Pro ● ● Nitro Pro ● ● Nuance Power PDF ● ◐ iSkysoft PDF Editor ◐ ◐ Master PDF Editor ● ● Soda PDF Desktop ◐ ◐ PDF Architect ◐ ◐ PDFelement ◐ ◐ Preview ○ ◐ macOS Skim ○ ◐ Evince ◐ ◐ Linux Okular ◐ ◐ MuPDF ◐ ◐ Chrome ● ● Firefox ○ ◐ Web Safari ○ ◐ Opera ● ● 70 Countermeasures
27.12.2019 How To Break PDF Security 71 Signatures • Signed PDFs should prevent the attack, right?
WRONG: 1. Do not prevent opening 2. Can be stripped 3. Can be forged
27.12.2019 How To Break PDF Security 72 Closing Backchannels • Close all exfiltration channels! • Hard to do! • How do you even find all of them in a ca. 800 pages standard?
• Should we really remove … • Forms • Hyperlinks • JavaScript (okay, maybe that one)
• Ask the user before connecting to a server
27.12.2019 How To Break PDF Security 73 Short Term Mitigation
Apple:
Google:
27.12.2019 How To Break PDF Security 74 Mitigation • Against wrapping attacks: • Deprecate partial encryption • Short term: No access from unencrypted to encrypted objects
• Against CBC Gadget attacks: • Use authenticated encryption • Be careful of downgrade attacks
27.12.2019 How To Break PDF Security 75 Mitigation “This has been escalated to the ISO working group on Crypto and Signatures and will be taken up in the next revision of the PDF Spec.”
- Adobe
27.12.2019 How To Break PDF Security 76 Conclusion
27.12.2019 How To Break PDF Security 77 Lessons Learned
Developers PDF Specification Security Community
• Error tolerance • Partial encryption • Little research for breaks signatures • No integrity „Crypto in PDFs“ protection
More Info https://www.pdf-insecurity.org/ [email protected]
27.12.2019 How To Break PDF Security 78