Can You Trust Digital Signatures in PDF Files?

upnorth

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Hardly a company or government agency exists that does not use PDF files. And they often use digital signatures to ensure the authenticity of such documents. When you open a signed file in any PDF viewer, the program displays a flag indicating that the document is signed, and by whom, and gives you access to the signature validation menu.

So, a team of researchers from several German universities set out to test the robustness of PDF signatures. Vladislav Mladenov from Ruhr-Universität Bochum shared the team’s findings at the Chaos Communication Congress (36С3).The researchers’ task was simple: Modify the contents of a signed PDF document without invalidating the signature in the process. In theory, cybercriminals could do the same to impart false information or add malicious content to a signed file. After all, clients who receive a signed document from a bank are likely to trust it and click on any links in it. The team selected 22 popular PDF viewers for various platforms, and systematically fed them the results of their experiments.
Click to expand...
First, the team tried to add extra sections to the file with another incremental update using a text editor. Strictly speaking, that’s not an attack — the team simply used a function implemented by the creators of the format. When a user opens a file that’s been modified in this way, the PDF reader usually displays a message saying that the digital signature is valid but the document has been modified. Not the most enlightening message, especially not for an inexperienced user. Worse, one of the PDF viewers (LibreOffice) did not even show the message.

The next experiment involved removing the two final sections (that is, adding an update to the body, but not the new Xref and trailer). Some applications refused to work with such a file. Two PDF viewers saw that the sections were missing and automatically added them without notifying the reader about a change in content. Three others swallowed the file without any objection.

Next, the researchers wondered what would happen if they simply copied the digital signature into their own “manual” update. Two more viewers fell for it — Foxit and MasterPDF. In total, 11 of the 22 PDF viewers proved vulnerable to these simple manipulations. What’s more, six of them showed absolutely no signs that the document opened for viewing had been modified. In the other five cases, to reveal any sign of manipulation, the user had to enter the menu and check the validity of the digital signature manually; simply opening the file was insufficient.
Click to expand...
The summary results table shows that no fewer than 21 of the 22 PDF viewers could be hoodwinked. That is, for all but one of them, it is possible to create a PDF file with malicious content or false information that looks valid to the user.
Click to expand...
36C3-PDF-digital-signature-4.png

www.kaspersky.com

Can you trust digital signatures in PDF files?

Researchers try to modify the contents of a signed PDF file without invalidating the signature.
www.kaspersky.com www.kaspersky.com
 
  • Like
  • +Reputation
Reactions: CyberTech, roger_m, SeriousHoax and 10 others
valvaris

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
@SeriousHoax and @bribon77 - I think they did not test every PDF Reader / Editor out there. ;) It does not mean that they are not vulnerable to those attacks.

Not to sound like a "spoil brat" but in general if it can be attacked in such a way PDF signatures as such are suxxx. Now that is just one layer that is effected. The way company's communicate is via E-Mail (Signed) or Enterprise Chat (Teams, Slack and Co.) - If so then there is another layer to consider. This is just an example of direct PDF attack. ^^

Sincerely
Val.
 
Last edited:
  • Like
Reactions: CyberTech, Outpost, Handsome Recluse and 4 others
SeriousHoax

SeriousHoax

Level 51
Verified
Top Poster
Well-known
Mar 16, 2019
4,063
valvaris said:
@SeriousHoax and @bribon77 - I think they did not test every PDF Reader / Editor out there. ;) It does not mean that they are not vulnerable to those attacks.

Not to sound like a "spoil brat" but in general if it can be attacked in such a way PDF signatures as such are suxxx in general. Now that is just one layer that is effected. The way company's communicate is via E-Mail (Signed) or Enterprise Chat (Teams, Slack and Co.) - If so then there is another layer to consider. This is just an example of direct PDF attack. ^^

Sincerely
Val.
Click to expand...
You could be right but they said they tested 22 popular PDF readers and Sumatra is definitely more popular than some of the PDF readers mentioned there which I never heard of before. Unlike some others it's not very feature rich either, just basic PDF and EPUB reading capability. So it's possible that it's not vulnerable to these.
 
  • Like
Reactions: CyberTech, TairikuOkami, harlan4096 and 4 others
valvaris

valvaris

Level 6
Verified
Well-known
Jul 26, 2015
263
Like before maybe I did not come out clear. :D

50/50 on that part - To be honest not tested not listed - So danger is always involved. But what is not in the IT... cat and mouse...

Sincerely
Val.
 
  • Like
Reactions: Handsome Recluse and upnorth
shmu26

shmu26

Level 85
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Jul 3, 2015
8,153
Umm, I use Sumatra too, but can it even tell you whether a doc is digitally signed or not?
If it can't even do that, then what are we discussing?
Sumatra is secure for a different reason: even if the doc is weaponized, Sumatra doesn't support the scripting and other advanced functions that the attack is based on.
 
  • Like
Reactions: SeriousHoax, bribon77, Outpost and 3 others
upnorth

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
shmu26 said:
Umm, I use Sumatra too, but can it even tell you whether a doc is digitally signed or not?
If it can't even do that, then what are we discussing?
Click to expand...
Good question and good point. Personal I have no idea if Sumatra can inform about that. I never used it, but it should be dead easy to find out in Sumatras own manuals/guides or in it's main UI. If it for some reason don't have that feature, I wouldn't recommend it as a first choice for reading digitally signed files.
 
  • Like
Reactions: shmu26 and harlan4096
TairikuOkami

TairikuOkami

Level 38
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,773
shmu26 said:
Umm, I use Sumatra too, but can it even tell you whether a doc is digitally signed or not?
If it can't even do that, then what are we discussing?
Click to expand...
If I read it correctly, the last comment from 2018 states, that they do not support it, because it can be exploited as per article. :D
The code to sign and read signed files is waiting for exploitation, files can be very easily decrypted and forged signatures can be added as if from a trusted party, agreed they will show evidence of tampering when inspected but many users simply just trust the fact they are "signed" no matter by who.
Personally I prefer a PDF Reader without Javascript, Now I wonder which one that might be?
Click to expand...
github.com

digital signature support · Issue #59 · sumatrapdfreader/sumatrapdf

It would be great to have abilite to check digital signature in pdf -> Like in Adobe it should show that pdf is signed and with what signature, and who signed that digital signature. In version 3.0...
github.com github.com
 
  • Like
  • +Reputation
Reactions: CyberTech, SeriousHoax, Gandalf_The_Grey and 4 others
upnorth

upnorth

Level 68
Thread author
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
This case is one of those I would call, a whitepaper attack.
media.ccc.de

How to Break PDFs

PDF is the most widely used standard for office documents. Supported by many desktop applications, email gateways and web services soluti...
media.ccc.de media.ccc.de
If one watch their video presentation, I barely managed because it was very boring just as they warned and they even mention the 3 attacks that they found working is very hard to achieve, even if one was for themselves " trivial ", it's no major issue for the time being for common/home users. Especially with latest updated PDF readers. With targeted attacks it sounds like another deal, but they already communicate with several of the effected companies/vendors and even got this acknowledge by Adobe.

This also effects browsers. For example in Windows 10, Edge is the default reader for pdf files until one install and actively choose something else, but Edge was exclude because :
did not support AES256 PDF encryption (e.g., Microsoft Edge) or if the cost to obtain them would be prohibitive.
Click to expand...
Opera, failed miserably in their tests. :cry:

4oj4aX9A_o.png


But, there's a light in the end of this tunnel. The vulnerabilities has so called CVE ( Common Vulnerabilities and Exposures ) numbers and if one follow those it's easy to see that latest versions of for example Acrobat Reader ( 2019.021.20061 ) is not exposed or effected and as Operas latest stable version is on 66.0.3515.36 compered to 57.0.3098.106 in the test, I wouldn't be surprised if that is also covered/fixed by now.

NVD - CVE-2018-16042

nvd.nist.gov nvd.nist.gov
I also searched for CVE-2018-18688 and CVE-2018-18689, and most vendors already seems to have released patched versions.
SeriousHoax said:
The one I use, Sumatra PDF is not included in the list so I guess it's not vulnerable.
Click to expand...
bribon77 said:
The same here I use Sumatra PDF, it is small but sufficient and seems not to have the problems that others have.:)
Click to expand...
If you use another Reader, you should contact the support team for your application.
Click to expand...
 
  • Like
Reactions: Protomartyr, valvaris, bribon77 and 4 others
L

Local Host

SeriousHoax said:
You could be right but they said they tested 22 popular PDF readers and Sumatra is definitely more popular than some of the PDF readers mentioned there which I never heard of before. Unlike some others it's not very feature rich either, just basic PDF and EPUB reading capability. So it's possible that it's not vulnerable to these.
Click to expand...
Had they tested Sumatra and seen it was not vulnerable, it would have been mentioned.
 
  • Like
Reactions: Gandalf_The_Grey and upnorth

Similar threads

Brownie2019
Unlimited Giveaway Coolmuster PDF Splitter 1yr for free
Replies
3
Views
697
Giveaways, Promotions and Contests
Brownie2019
Brownie2019
Brownie2019
Unlimited Giveaway Coolmuster PDF Image Extractor 1yr for free
Replies
0
Views
422
Giveaways, Promotions and Contests
Brownie2019
Brownie2019
Brownie2019
Unlimited Giveaway Coolmuster JPG to PDF Converter 1yr for free
Replies
1
Views
562
Giveaways, Promotions and Contests
Brownie2019
Brownie2019

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top