Home News Two New Attack Techniques Discovered to Alter Certified PDFs

Two New Attack Techniques Discovered to Alter Certified PDFs

Security researchers from the Ruhr University Bochum uncovered two new attack techniques to alter and modify PDF documents, allowing an attacker to replace the certified content with the malicious content

Altering certified PDF Documents, FIN7 Hackers

It is better to be proactive in finding loopholes in the field of security. Fixing or discovering unpatched vulnerabilities or any security flaws before cybercriminals exploit them will certainly help protect critical data. Threat actors often come up with new attacking techniques to compromise targeted individuals or networks. Detecting such potential attacks in advance will help mitigate the damage.

Recently, cybersecurity researchers from the Ruhr University Bochum have unveiled two new attack techniques on certified PDF documents that could allow an attacker to change the certified content and replace it with malicious content without altering its digital signature.

The two new attacks, dubbed the Evil Annotation Attack (EAA) and the Sneaky Signature Attack (SSA), exploit the flexibility of PDF certification by adding annotations to certified documents. While the EAA initiates the attack by altering a certified document by adding a malicious code, the SSA manipulates the appearance of the certified content by adding overlaying signature elements to a document. The researchers claimed that an attacker could change the legitimate content in 15 of 26 viewer applications by using EAA and in eight applications using SSA by using PDF specification compliant exploits.

“By inserting a signature field, the signer can define the exact position of the field, and additionally, its appearance and content. This flexibility is necessary since each new signature could contain the signer’s information. The information can be a graphic, a text, or a combination of both. Nevertheless, the attacker can misuse the flexibility to stealthily manipulate the document and insert new content,” the researchers said.

According to the research, 15 of 26 PDF applications were found vulnerable to EAA attacks, allowing an attacker to alter the content in the PDF document. Multiple issues were found in Adobe Acrobat Reader (CVE-2021-28545 and CVE-2021-28546), Foxit Reader (CVE-2020-35931), and Nitro Pro, which could lead to EAA attacks. In addition, Soda PDF Desktop, PDF Architect, and six other PDF applications were found vulnerable to SSA attacks.

“Although neither EAA nor SSA can change the content itself – it always remains in the PDF – annotations and signature fields can be used as an overlay to add new content. Victims opening the PDF are unable to distinguish these additions from regular content. And even worse: annotations can embed high privileged JavaScript code that is allowed to be added to certain certified documents,” the researchers added. 

Sanitize PDFs to Avoid Risks

Cybercriminals often focus on harvesting sensitive data from poorly sanitized PDFs. PDF sanitization is the process of removing classified and sensitive data from a protected document before its publication. An analysis found that security agencies do not sanitize PDF docs before sending them to others. The analysis collected a corpus of 39,664 PDF files published by 75 security agencies, from 47 countries, to find out the quality and quantity of data leaked from these PDF files.