PDFex attack extracts data from encrypted PDF files

A joint group of researchers from the Ruhr University and Munster University introduced the PDFex attack, which can be used to extract and steal data from encrypted PDF files, sometimes even without user interaction.

The attack successfully works against 27 solutions for viewing PDF, including popular products such as Adobe Acrobat, Foxit Reader, Evince, Nitro, as well as built-in tools for viewing PDF in Chrome and Firefox.

“The researchers method is not aimed at encryption applied to PDF files by external software, but at the encryption schemes themselves, which are supported by the Portable Document Format (PDF) standard”, – say the researchers.

For example, the PDF standard supports native encryption, so that PDF applications can encrypt files that can then be opened by any other application. This allows the user not to “go in cycles” around one specific solution for working with PDF.

“Firstly, many data formats only allow encryption of parts of the content (for example, XML, S / MIME, PDF). Such encryption flexibility is difficult to deal with, and as a result, the attacker can add his own content [to the file], which can lead to data extraction. Secondly, when it comes to encryption, AES-CBC (and encryption without integrity protection) is still very widely supported. Even the latest PDF 2.0 specification, released in 2017, still relies on it. This should be fixed in future PDF specifications”, – experts write.

In their report, experts describe two options for PDFex.

The first variation is related to direct data extraction and assumes that PDF applications do not encrypt the entire rear file, but leave some parts unencrypted. Thanks to this, an attacker can modify these unencrypted fields and create a malicious PDF file, which after decryption and opening will try to send the contents of the file back to the attacker. This can be achieved in three ways, including by adding a JavaScript or a special link to the file, which will be triggered after the file is opened and decrypted.

Read also: Experts recorded more than 500,000 attacks on iOT-devices in 2 hours

The second variant of the PDFex attack, in contrast, is associated with the encrypted parts of the PDF file and uses CBC gadgets. As in the first case, an attacker can use CBC gadgets to modify encrypted content to create a malicious PDF file that will send its contents after decryption to remote servers, for example, using PDF forms or URLs.