A joint group of researchers from the Ruhr University and Munster University introduced the PDFex attack, which can be used to extract and steal data from encrypted PDF files, sometimes even without user interaction.The attack successfully works against 27 solutions for viewing PDF, including popular products such as Adobe Acrobat, Foxit Reader, Evince, Nitro, as well as built-in tools for viewing PDF in Chrome and Firefox.
“The researchers method is not aimed at encryption applied to PDF files by external software, but at the encryption schemes themselves, which are supported by the Portable Document Format (PDF) standard”, – say the researchers.
For example, the PDF standard supports native encryption, so that PDF applications can encrypt files that can then be opened by any other application. This allows the user not to “go in cycles” around one specific solution for working with PDF.
“Firstly, many data formats only allow encryption of parts of the content (for example, XML, S / MIME, PDF). Such encryption flexibility is difficult to deal with, and as a result, the attacker can add his own content [to the file], which can lead to data extraction. Secondly, when it comes to encryption, AES-CBC (and encryption without integrity protection) is still very widely supported. Even the latest PDF 2.0 specification, released in 2017, still relies on it. This should be fixed in future PDF specifications”, – experts write.
In their report, experts describe two options for PDFex.
The second variant of the PDFex attack, in contrast, is associated with the encrypted parts of the PDF file and uses CBC gadgets. As in the first case, an attacker can use CBC gadgets to modify encrypted content to create a malicious PDF file that will send its contents after decryption to remote servers, for example, using PDF forms or URLs.
User Review( votes)