Behördenschreiben, Amazon-Rechnungen, Gesetzestexte: Forschern ist es gelungen, populären PDF-Readern manipulierte Dokumente unterzujubeln – mit simplen Mitteln. Warnungen gab es fast nie.
Montag, 25.02.2019 – Spiegel Online
Ihr Erfolg überraschte die Forscher selbst. Kaum ein gängiges Programm merkte es, wenn elektronisch signierte PDF-Dateien in ihren Tests auf simple Weise manipuliert wurden. Rechnungen, Behördenbriefe und Mahnschreiben ließen sich fälschen – und zwar so, dass die meisten PDF-Reader zu dem Schluss kamen, mit der elektronischen Signatur der Dokumente wäre alles in Ordnung.
Die Wissenschaftler arbeiten an der Ruhr-Universität Bochum, am Montag haben sie ihren Forschungsbericht veröffentlicht. Inzwischen haben zumindest einige Hersteller nachgebessert. Doch klar scheint: Auf PDF-Signaturen sollte man sich nicht hundertprozentig verlassen.
Die Idee hinter digitalen Signaturen erinnert an das klassische Wachssiegel: So lange der Umschlag verschlossen und das richtige Siegel aufgepresst ist, gilt der Inhalt als unberührt. Nachträgliche Änderungen sind damit kaum möglich. Bei digitalen Signaturen sollte das auch so sein: Der Urheber schreibt einen Text und versiegelt das Dokument digital. Sobald jemand etwas an dem Dokument ändert, sollten PDF-Reader anzeigen, dass die Signatur ungültig ist.
Nur einmal flog die Sache auf
So weit die Theorie. Im Rahmen ihrer Untersuchung hatten die Forscher unter anderem eine signierte PDF-Originalrechnung von Amazon gefälscht und den Erstattungsbetrag auf eine Billion Dollar hochgesetzt. 21 von 22 PDF-Readern merkten nicht, dass das Dokument verändert worden war.
Selbst der PDF-Pionier Adobe fiel den Forschern zufolge mit seinem Acrobat Reader durch. Das Programm erkannte die Veränderungen nicht – wie auch der Foxit Reader, Nitro PDF und das PDF Studio Pro. Nur eine alte Version des Acrobat Readers auf einem Linux-System bemerkte den Betrug. Ein ähnliches Bild zeigte sich angeblich bei Onlineanbietern: Fünf von sechs PDF-Prüfprogrammen im Netz versagten.
Für kriminelle Hacker sei die Manipulation leicht umzusetzen, sagt Vladislav Mladenov aus dem Forscherteam dem SPIEGEL. “Wir haben sehr einfache Tools wie Texteditoren verwendet.” Die Inhalte ließen sich damit problemlos manipulieren. “Kurze Sätze oder Zahlen können in knapp einer Minute verändert werden.” Lediglich das Dokument-Design zu verändern, dauere länger.
Das Problem sieht Mladenov vor allem bei den Vorgaben für die Entwickler. In den PDF-Vorgaben von Adobe werde nicht genau beschrieben, woran man sich bei der Umsetzung von digitalen Signaturen halten solle, sagt er. “Die Anleitung ist nur sehr schwammig und beschreibt nicht, wie die Signaturen konkret geprüft werden sollen.”
Unternehmen und Regierungsbehörden sind betroffen
Prinzipiell ist kein PDF-Dokument vor Veränderungen wie denen durch die Forscher sicher: “Mit der Methode lassen sich alle digital signierten PDF-Dokumente wie Gesetzestexte und Rechnungen manipulieren”, sagt Christian Mainka, der ebenfalls an dem Projekt mitgearbeitet hat.
PDF-Signaturen werden in zahlreichen Unternehmen eingesetzt, die Rechnungen mit elektronischer Signatur an ihre Kunden versenden. Dazu zählen unter anderem Amazon, die Autovermietung Sixt und der Sportartikelhändler Decathlon, die im Forschungsbericht explizit erwähnt werden.
Doch auch Regierungsbehörden verschicken signierte PDF-Dateien. Seit Juli 2016 gilt für europäische Länder wie Deutschland die Eidas-Verordnung der EU. Der digitale Schriftverkehr zwischen den Ländern und auch zwischen Bürgern und Behörden muss demnach mit digitalen Signaturen abgewickelt werden. Dazu zählen auch PDF-Dokumente, deren Adobe-Sicherheitszertifikate offiziell die Eidas-Kriterien erfüllen.
Viele Entwickler haben bereits nachgebessert
Weil sich so viele PDF-Reader überlisten ließen, haben die Forscher im Oktober das Bundesamt für Sicherheit und Informationstechnik (BSI) auf die Sicherheitslücken hingewiesen. Die Behörde hat seither alle Entwickler der getesteten Software angeschrieben: Viele Programme seien nach einem Update jetzt wieder sicher, heißt es. Auch die neueste Adobe-Version sei nun immun. “Im Adobe Reader haben wir sehr ärgerliche Fehler entdeckt, die aber sehr schnell behoben wurden”, sagt Christian Mainka.
Obwohl dem BSI nach eigenen Angaben keine konkreten Fälle bekannt sind, sollte man davon ausgehen, dass Betrüger die Schwachstellen missbrauchen können. Da es um Sicherheitslücken auf lokalen Systemen gehe, “ist die praktische Ausnutzung durchaus möglich”, sagte ein BSI-Sprecher dem SPIEGEL. “Das BSI steht mit betroffenen Behörden in Kontakt und unterstützt diese bei Bedarf bei der Bewältigung dieser Herausforderung.”
Die Empfehlung des BSI: Wer unsicher ist, sollte verdächtige PDF-Dokumente mit einem gepatchten Reader noch einmal überprüfen. Welche Versionen der PDF-Reader betroffen sind, steht in dieser Liste. Viele Hersteller haben bereits ein Update zur Verfügung gestellt, das die Sicherheitslücken ausmerzt.
see also: https://www.pdf-insecurity.org/
New Attacks Show Signed PDF Documents Cannot Be Trusted
By Eduard Kovacs on February 26, 2019
Many popular PDF viewers and online validation services contain vulnerabilities that can be exploited to make unauthorized changes to signed PDF documents without invalidating their signature, researchers have warned.
A team of researchers from the Ruhr-University Bochum in Germany has analyzed 22 desktop applications (including their Windows, Linux and macOS versions) and 7 online validation services.
PDF signatures, which rely on cryptographic operations, are widely used by organizations around the world to ensure that their documents are protected against unauthorized modifications. Many governments sign their official documents, researchers often sign scientific papers, and major companies such as Amazon are known to sign documents such as invoices. If a signed document has been changed, its signature should become invalid.
However, the researchers from Ruhr-University Bochum have demonstrated that a vast majority of PDF viewers and online validation services are vulnerable to at least one of the three PDF signature spoofing attack methods they have identified.
The experts showed that an unauthorized user could leverage various techniques to make changes to a PDF document without invalidating its signature.
The list of vulnerable applications includes Adobe Reader, Foxit Reader, LibreOffice, Nitro Reader, PDF-XChange and Soda PDF, which are some of the most popular PDF readers. The list of affected validation services includes DocuSign, eTR Validation Service, DSS Demonstration WebApp, Evotrust, and VEP.si.
The only application that was not vulnerable to at least one type of attack was Adobe Reader 9 running on Linux, while the only non-vulnerable online service was the 5.4 version of the DSS Demonstration WebApp. The researchers have been working with CERT-Bund, Germany’s governmental CERT, to notify impacted vendors and provide them the information needed to address the issues. While some online services have yet to roll out patches, all of the companies providing PDF viewing apps have released fixes.
The three attack methods identified by researchers have been named Universal Signature Forgery (USF), Incremental Saving Attack (ISA), and Signature Wrapping Attack (SWA).
In the case of USF, an attacker can manipulate meta information in the signature so that the application used to open the altered PDF finds the signature, but not the data needed for validation. Despite the missing information, the signature is still showed as valid by some applications, such as Acrobat Reader DC and Reader XI.
The ISA attack, which affects many of the tested apps and services, leverages a legitimate feature in the PDF specification. This feature allows files to be updated by appending changes, such as storing annotations or adding new pages to the document. An attacker can modify a document by making changes to an element that is not part of the signature integrity protection.
Finally, the SWA attack, which impacts many PDF apps and some online validation services, forces the signature verification logic to process different data by “relocating the originally signed content to a different position within the document and inserting new content at the allocated position.”
The researchers have published a paper and created a dedicated website, both of which contain the technical details of the attacks.
from: https://www.securityweek.com/new-attacks-show-signed-pdf-documents-cannot-be-trusted
see also: https://www.pdf-insecurity.org/
How to break PDF Signatures
If you open a PDF document and your viewer displays a panel (like you see below) indicating that
- the document is signed by invoicing@amazon.de and
- the document has not been modified since the signature was applied You assume that the displayed content is precisely what invoicing@amazon.de has created.
During recent research, we found out that this is not the case for almost all PDF Desktop Viewers and most Online Validation Services.
So what is the problem?
With our attacks, we can use an existing signed document (e.g., amazon.de invoice) and change the content of the document arbitrarily without invalidating the signatures. Thus, we can forge a document signed by invoicing@amazon.de to refund us one trillion dollars.
To detect the attack, you would need to be able to read and understand the PDF format in depth. Most people are probably not capable of such thing (PDF file example).
To recap this, you can use any signed PDF document and create a document which contains arbitrary content in the name of the signing user, company, ministry or state.
Who uses PDF Signatures?
Since 2014, organizations delivering public digital services in an EU member state are required to support digitally signed documents such as PDF files by law (eIDAS).
In Austria, every governmental authority digitally signs any document §19. Also, any new law is legally valid after its announcement within a digitally signed PDF. Several countries like Brazil, Canada, the Russian Federation, and Japan also use and accept digitally signed documents.
The US government protects PDF files with PDF signatures, and individuals can report tax withholdings by signing and submitting a PDF.
Outside Europe, Forbes calls the electronic signature and digital transactions company DocuSign as No. 4 in its Cloud 100 list. Many companies sign every document they deliver (e.g., Amazon, Decathlon, Sixt). Standardization documents, such as ISO and DIN, are also protecting by PDF signatures. Even in the academic world, PDF signatures are sometimes used to sign scientific papers (e.g., ESORICS proceedings).
According to Adobe Sign, the company processed 8 billion electronic and digital signatures in 2017 alone.
Currently, we are not aware of any exploits using our attacks.
How bad is it?
We evaluated our attacks against two types of applications. The commonly known desktop applications everyone uses on a daily bases and online validation services. The last one is often used in the business world to validate the signature of a PDF document returning a validation report as a result.
During our research, we identified 21 out of 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of our attacks.
You can find the detailed results of our evaluation on the following web pages:
How can I protect myself?
As part of our research, we started a responsible disclosure procedure on 9th October 2018, after we identified 21 out 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of our attacks.
In cooperation with the BSI-CERT, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues.
You can take a look at which PDF Reader you are using and compare the versions. If you use one of our analyzed Desktop Viewer Applications you already should have got an update for you Reader.
My PDF Reader is not listed
If you use another Reader, you should contact the support team for your application.
Technical details of the attacks
We developed three classes of attacks on PDF Signatures. Each attack class abuses a missing signature verification step.
Attack 1: Universal Signature Forgery (USF)
The main idea of USF is to disable the verification by providing invalid content within the signature object or removing the references to the signature object. Thus, despite the fact that the signature object is provided, the validation logic is not able to apply the correct cryptographic operations. Nevertheless, it could be possible that a viewer shows some signature information although the verification is being skipped.
Technically, each PDF Signatures is defined in a PDF signature object, e.g., 5 0 obj. Without going into too much details, this object contains all information necessary to validate the signature. Most importantly for out attacks, the signature object contains a /ByteRange entry, which defines the offsets of the bytes used to compute the hash of the signature. The signature itself is then stored in a /Contents entry as a PKCS7 blob (in most cases).
The USF attack manipulates those entries in the signature obj to confuse the signature validation logic, as shown in the picture below.
Attack 2: Incremental Saving Attack (ISA)
This class of attack relies on the PDF feature incremental saving (incremental update). The idea of the attack is to make an incremental saving on the document by redefining the document’s structure.
In a legitimate use-case, incremental saving is used, for example, to add annotations to a PDF. The annotations itself are incrementally saved after the original content of the PDF as a new PDF body. Incremental saving is also used for signing a PDF: the signature object is simply appended to the original file content.
The idea of ISA is the following:
The attacker takes a signed PDF. He adds new content (pages, annotations, etc.) and stores them at the end of the file using incremental saving. This is basically not an attack, but a feature of PDF. A vulnerability appears once the signature validation logic does not notice that the file content has been updated, i.e., that new, unsigned content has been added to the file. To achieve this behavior, we identified multiple variants of the attacks as shown below:
Please note that Variant 1 itself is not a real attack vector. It is the intended file structure of a signed PDF that has been updated using incremental saving. Variants 2-4 are not compliant to the PDF specification, e.g., they do not define a new xref or trailer, but PDF applications are error tolerant and display the content anyway.
In total, the ISA attack is successful if:
- the new Content (Body Updates) is shown and
- the application does not notice that the document has been modified or updated.
Attack 3: Signature Wrapping (SWA)
The SWA introduces a novel technique to bypass signature protection without using incremental saving.
The main idea is to move the second part of the signed /ByteRange to the end of the document while reusing the xref pointer within the signed trailer to an attacker manipulated xref. To avoid any processing of the relocated second part, it can be optionally wrapped by using a stream object or a dictionary. In the picture below, two documents are depicted. On the left side, a validly signed PDF file is depicted. On the right side, a manipulated PDF file is generated by using SWA.
The attack works as follows:
- (optional): The attacker deletes the padded zero Bytes within the Contents parameter to increase the available space for injecting manipulated objects.
- The attacker defines a new /ByteRange [a,b,c,d]* by manipulating the c value, which now points to the second signed part placed on a different position within the document.
- The attacker creates a new xref pointing to the new objects. It is essential that the byte offset of the newly inserted xref has the same byte offset as the previous xref. The position is not changeable since it is referenced by the signed trailer For this purpose, the attacker can add a padding block (e.g., using whitespaces) before the new xref to fill the unused space.
- The attacker injects malicious objects which are not protected by the signature. There are different injection points for these objects. %If Step 1 is executed, we can place the malicious object before the malicious xref. They can be placed before or after the malicious xref. If Step 1 is not executed, it is only possible to place them \emph{after} the malicious xref.
- Some PDF viewers need a trailer after the manipulated xref; otherwise they cannot open the PDF file or detect the manipulation and display a warning message. Copying the last trailer is sufficient to bypass this limitation.
- The attacker moves the signed content defined by c and d at byte offset c*. Optionally, the moved content can be encapsulated within a stream object.
Evaluation
We evaluated our attacks against two types of applications. The typically known desktop applications everyone uses on a daily bases and online validation services. The last one is often used in the business world to validate the signature of a PDF document returning a validation report as a result.
During our research, we identified 21 out 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of our attacks.
You can find the detailed results of our evaluation on the following web pages:
What is the root cause of the problem?
Due to the reason that most analyzed software ist closed source we can only guess, but in our opinion there are 2 main reasons for the successfull attacks:
- The specification is very vague about signatures and especally how to validate them.
- The analyzed reader are very tolerant about opening, validating and showing malformed PDF files.
Acknowledgements
We would like to thanks the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.
Florian Zumbiehl
We would like to acknowledge Florian Zumbiehl who found an interesting attack related to pdf signatures in PDF viewer back in 2010 .
DocuSign researcher
We want to acknowledge the research of John Heasman and his team @ DocuSign for finding one variant of the Signature Wrapping attack independently of our research. They tested and reported their attack against the following products:
from: https://www.pdf-insecurity.org/
You must be logged in to post a comment.