research-article

1 Trillion Dollar Refund: How To Spoof PDF Signatures

Authors:

Vladislav Mladenov,

Christian Mainka,

Karsten Meyer zu Selhausen,

Jörg SchwenkAuthors Info & Claims

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

Pages 1 - 14

https://doi.org/10.1145/3319535.3339812

Published: 06 November 2019 Publication History

Abstract

The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee the authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures.

In this paper, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce three novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF. We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated eight online validation services and found six to be vulnerable. A possible explanation for these results could be the absence of a standard algorithm to verify PDF signatures -- each client verifies signatures differently, and attacks can be tailored to these differences. We, therefore, propose the standardization of a secure verification algorithm, which we describe in this paper.

All findings have been responsibly disclosed, and the affected vendors were supported during fixing the issues. As a result, three generic CVEs for each attack class were issued [50-52]. Our research on PDF signatures and more information is also online available at https://www.pdf-insecurity.org/.

References

[1]

Adobe. 2018. Adobe Fast Facts. https://www.adobe.com/about-adobe/fast-facts.html

[2]

Ange Albertini. 2014. This PDF is a JPEG; or, This Proof of Concept is a Picture of Cats. PoC 11 GTFO 0x03 (2014). https://www.alchemistowl.org/pocorgtfo/pocorgtfo03.pdf

[3]

PDF association. 2018. PDF in 2016: Broader, deeper, richer. https://www.pdfa.org/pdf-in-2016-broader-deeper-richer/

[4]

USENIX Association. 2018. Board of Directors Out of Band Motion. https://www.usenix.org/sites/default/files/2017-01_out-of-band_motion_signed.pdf

[5]

Francesco Buccafurri. 2005. Digital Signature Trust vulnerability: A new attack on digital signatures. Information Management & Computer Security, Vol. 4 (2005), 28--6. http://www.unirc.it/firma/en/Buccafurri_ISSA_1008.pdf

[6]

Curtis Carmony, Xunchao Hu, Heng Yin, Abhishek Vasisht Bhaskar, and Mu Zhang. 2016. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. In NDSS .

[7]

European Commission. 2018. DSS Demonstration WebApp v5.3.1. https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/DSS

[8]

Igino Corona, Davide Maiorca, Davide Ariu, and Giorgio Giacinto. 2014. Lux0r: Detection of malicious pdf-embedded javascript code through discriminant analysis of api references. In Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop. ACM, 47--57.

Digital Library

[9]

Inc. DocuSign. 2018. DocuSign Validation Service. https://validator.docusign.com/

[10]

EIUS doo. 2018. VEP E-obrazci. https://www.vep.si/validator/forms/document-verify

[11]

eesti. 2018. SiVa Demo application. https://siva-arendus.eesti.ee/

[12]

Evrotrust. 2018. Validate a signature. https://www.evrotrust.com/landing/en/a/validation

[13]

FeaturedCustomers. 2018. DocuSign Customer. https://www.featuredcustomers.com/vendor/docusign/customers

[14]

Agency for Digital Italy. 2018. DSS Demonstration WebApp v5.2. https://dss.agid.gov.it/validation

[15]

Forbes. 2018. Forbes Releases 2017 Cloud 100 List of the Best Private Cloud Companies in the World. http://bit.ly/dokusign-forbesrank

[16]

Gertjan Franken, Tom Van Goethem, and Wouter Joosen. 2018. Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 151--168. https://www.usenix.org/conference/usenixsecurity18/presentation/franken

[17]

Bundesministerium für Digitalisierung und Wirtschaftsstandort. 2019. E-Government-Gesetz (E-GovG). https://www.ris.bka.gv.at/GeltendeFassung/Bundesnormen/20003230/E-GovG%2c%20Fassung%20vom%2004.02.2019.pdf

[18]

Ian Grigg. 2008. Technologists on signatures: looking in the wrong place. http://financialcryptography.com/mt/archives/001056.html

[19]

Ian Grigg. 2012. Signatures on fax & email - if you did not intend to be bound, why did you bother to write it? http://financialcryptography.com/mt/archives/001364.html

[20]

Arhs Group. 2018. Ellis Digital Signature. https://ellis.arhs-spikeseed.com/

[21]

Adobe Systems Incorporated. 2006. PDF Reference, version 1.7 sixth edition ed.).

[22]

Alexander1 Inführ. 2014. Multiple PDF Vulnerabilities -- Text and Pictures on Steroids. https://insert-script.blogspot.de/2014/12/multiple-pdf-vulnerabilites-text-and.html

[23]

Alexander Inführ. 2015. PDF -- Mess with the Web. https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-infuhr.pdf

[24]

Alexander2 Inführ. 2018. Adobe Reader PDF - Client Side Request Injection. https://insert-script.blogspot.de/2018/05/adobe-reader-pdf-client-side-request.html

[25]

K Kain, Sean W Smith, and R Asokan. 2002. Digital signatures and electronic documents: A cautionary tale. In Advanced communications and multimedia security. Springer, 293--307. http://www.ists.dartmouth.edu/library/74.pdf

[26]

Pavel Laskov and Nedim vS rndić. 2011. Static detection of malicious JavaScript-bearing PDF documents. In Proceedings of the 27th annual computer security applications conference. ACM, 373--382.

Digital Library

[27]

Gianluca Lax, Francesco Buccafurri, and Gianluca Caminiti. 2015. Digital document signing: Vulnerabilities and solutions. Information Security Journal: A Global Perspective, Vol. 24, 1--3 (2015), 1--14.

Digital Library

[28]

Davide Maiorca, Davide Ariu, Igino Corona, and Giorgio Giacinto. 2015. A structural and content-based approach for a precise and robust detection of malicious pdf files. In 2015 International Conference on Information Systems Security and Privacy (ICISSP). IEEE, 27--36.

[29]

Davide Maiorca and Battista Biggio. In Press. Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware. IEEE Security and Privacy: Special Issue on Digital Forensics ( In Press). https://pralab.diee.unica.it/sites/default/files/maiorca17-sp.pdf

[30]

Davide Maiorca, Giorgio Giacinto, and Igino Corona. 2012. A pattern recognition system for malicious pdf files detection. In International Workshop on Machine Learning and Data Mining in Pattern Recognition. Springer, 510--524.

Digital Library

[31]

Ian Markwood, Dakun Shen, Yao Liu, and Zhuo Lu. 2017. PDF Mirage: Content Masking Attack Against Information-Based Online Services. In 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC). 833--847.

[32]

Michael McIntosh and Paula Austel. 2005. XML signature element wrapping attacks and countermeasures. In SWS '05: Proceedings of the 2005 Workshop on Secure Web Services. ACM Press, New York, NY, USA, 20--27.

Digital Library

[33]

Tim McLean. 2015. Blog post: Critical vulnerabilities in JSON Web Token libraries. https://www.chosenplaintext.ca/2015/03/31/jwt-algorithm-confusion.html

[34]

Vladislav Mladenov, Christian Mainka, Meyer zu Selhausen, Martin Grothe, and Jörg Schwenk. 2018. Vulnerability Report: Attacks bypassing the signature validation in PDF. Technical Report. Ruhr Univeristy Bochum, Chair for Network and Data Security. https://www.nds.ruhr-uni-bochum.de/research/publications/vulnerability-report-attacks-bypassing-signature-v/

[35]

United States Government Printing Office. 2000. ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT. https://www.govinfo.gov/content/pkg/PLAW-106publ229/pdf/PLAW-106publ229.pdf

[36]

Dan-Sabin Popescu. 2012. Hiding Malicious Content in PDF Documents. CoRR, Vol. abs/1201.0397 (2012). arxiv: 1201.0397 http://arxiv.org/abs/1201.0397

[37]

F. Raynal, G. Delugré, and D. Aumaitre. 2010. Malicious Origami in PDF. Journal in Computer Virology, Vol. 6, 4 (2010), 289--315. http://esec-lab.sogeti.com/static/publications/08-pacsec-maliciouspdf.pdf

Digital Library

[38]

RUNDFUNK UND TELEKOM REGULIERUNGS-GMBH. 2018. RTR - Signatur-Prüfung. https://www.signatur.rtr.at/de/vd/Pruefung.html

[39]

Check Point Research. 2018. NTLM Credentials Theft via PDF Files. https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/

[40]

Billy Rios, Federico Lanusse, and Mauro Gentile. 2013. Adobe Reader Same-Origin Policy Bypass. http://www.sneaked.net/adobe-reader-same-origin-policy-bypass

[41]

Charles Smutz and Angelos Stavrou. 2012. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th annual computer security applications conference. ACM, 239--248.

Digital Library

[42]

Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, and Meiko Jensen. 2012. On Breaking SAML: Be Whoever You Want to Be. In 21st USENIX Security Symposium. Bellevue, WA.

Digital Library

[43]

Nedim Srndić and Pavel Laskov. 2016. Hidost: a static machine-learning-based detector of malicious files. EURASIP Journal on Information Security, Vol. 2016, 1 (2016), 22.

Digital Library

[44]

Tomás Stefan. 2017. Digital Signature Verification in PDF. https://dspace.cvut.cz/bitstream/handle/10467/76810/F8-BP-2018-Stefan-Tomas-thesis.pdf'sequence=-1

[45]

Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov. 2017. The first collision for full SHA-1. In Annual International Cryptology Conference. Springer, 570--596.

[46]

Liang Tong, Bo Li, Chen Hajaj, and Yevgeniy Vorobeychik. 2017. Feature Conservation in Adversarial Classifier Evasion: A Case Study. CoRR, Vol. abs/1708.08327 (2017). https://pdfs.semanticscholar.org/f1f8/6dbd8b39c9601e6315214783343ca18377b4.pdf

[47]

Liang Tong, Bo Li, Chen Hajaj, Chaowei Xiao, and Yevgeniy Vorobeychik. 2017. A Framework for Validating Models of Evasion Attacks on Machine Learning, with Application to PDF Malware Detection. arXiv preprint arXiv:1708.08327 (2017). https://arxiv.org/pdf/1708.08327.pdf

[48]

European Union. 2014. REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910

[49]

H. Valentin. 2012. Malicious URI resolving in PDF Documents. Blackhat Abu Dhabi (2012).

[50]

Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk",. 2018. CVE-2018--16042 (Universal Signature Forgery).

[51]

Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk",. 2018. CVE-2018--18688 (Incremental Saving Attack).

[52]

Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk",. 2018. CVE-2018--18689 (Signature Wrapping Attack).

[53]

Wikipedia. 2019. Electronic signatures and law. https://en.wikipedia.org/wiki/Electronic_signatures_and_law

[54]

Michal Zalewski. 2012. The tangled Web: A guide to securing modern web applications. No Starch Press.

Cited By

Rohlmann SMladenov VMainka CHirschberger DSchwenk JCalandrino JTroncoso C(2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620652
Kumar AHarris BTan G(2023)DISV: Domain Independent Semantic Validation of Data Files2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00020(163-174)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00020
Tullsen MHarris WWyatt P(2022)Research Report: Strengthening Weak Links in the PDF Trust Chain2022 IEEE Security and Privacy Workshops (SPW)10.1109/SPW54247.2022.9833889(152-167)Online publication date: May-2022
https://doi.org/10.1109/SPW54247.2022.9833889
Show More Cited By

Index Terms

1 Trillion Dollar Refund: How To Spoof PDF Signatures
1. Information systems
  1. Data management systems
    1. Database management system engines
      1. Integrity checking
2. Security and privacy
  1. Software and application security

Recommendations

Practical Decryption exFiltration: Breaking PDF Encryption
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, we analyze PDF encryption and ...
Multi-view Malicious Document Detection
TAAI '13: Proceedings of the 2013 Conference on Technologies and Applications of Artificial Intelligence

Malicious document is one of the most notorious components of modern attacks. The document may appear normal in its format, but behave strangely or beyond users' expectation, sometimes lead to severe consequences when it is opened. Detecting malicious ...
Cryptanalysis of ISO/IEC 9796-1

We describe two different attacks against the ISO/IEC 9796-1 signature standard for RSA and Rabin. Both attacks consist in an existential forgery under a chosen-message attack: the attacker asks for the signature of some messages of his choice, and is ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security

November 2019

2755 pages

ISBN:9781450367479

DOI:10.1145/3319535

General Chairs:
Lorenzo Cavallaro
King's College London, UK
,
Johannes Kinder
Bundeswehr University Munich, Germany
,
Program Chairs:
XiaoFeng Wang
Indiana University, USA
,
Jonathan Katz
George Mason University, USA

Copyright © 2019 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2019

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

European Commission
Excellence Strategy of the Federal and State Governments

Conference

CCS '19

Sponsor:

SIGSAC

CCS '19: 2019 ACM SIGSAC Conference on Computer and Communications Security

November 11 - 15, 2019

London, United Kingdom

Acceptance Rates

CCS '19 Paper Acceptance Rate 149 of 934 submissions, 16%;

Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 13 - 17, 2025

Taipei , Taiwan

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

8
Total Citations
View Citations
2,133
Total Downloads

Downloads (Last 12 months)65
Downloads (Last 6 weeks)4

Reflects downloads up to 28 Feb 2025

Other Metrics

View Author Metrics

Citations

Cited By

Rohlmann SMladenov VMainka CHirschberger DSchwenk JCalandrino JTroncoso C(2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
https://dl.acm.org/doi/10.5555/3620237.3620652
Kumar AHarris BTan G(2023)DISV: Domain Independent Semantic Validation of Data Files2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00020(163-174)Online publication date: May-2023
https://doi.org/10.1109/SPW59333.2023.00020
Tullsen MHarris WWyatt P(2022)Research Report: Strengthening Weak Links in the PDF Trust Chain2022 IEEE Security and Privacy Workshops (SPW)10.1109/SPW54247.2022.9833889(152-167)Online publication date: May-2022
https://doi.org/10.1109/SPW54247.2022.9833889
Mikhail IVictor RKorchagin SEkaterina PDmitry SYerbayev YKonstantin B(2022)Intelligent Web-Application for Countering DDoS Attacks on Educational InstitutionsBiologically Inspired Cognitive Architectures 202110.1007/978-3-030-96993-6_18(182-194)Online publication date: 25-Mar-2022
https://doi.org/10.1007/978-3-030-96993-6_18
Xu BXu XCai QWang WWang Q(2020)On the Verification of Signed MessagesApplied Cryptography and Network Security Workshops10.1007/978-3-030-61638-0_23(417-434)Online publication date: 14-Oct-2020
https://doi.org/10.1007/978-3-030-61638-0_23
Anderson R(2020)BibliographySecurity Engineering10.1002/9781119644682.biblio(1061-1141)Online publication date: 2-Dec-2020
https://doi.org/10.1002/9781119644682.biblio
Müller JIsing FMladenov VMainka CSchinzel SSchwenk JCavallaro LKinder JWang XKatz J(2019)Practical Decryption exFiltrationProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3354214(15-29)Online publication date: 6-Nov-2019
https://dl.acm.org/doi/10.1145/3319535.3354214
Butler SGamalielsson JLundell BBrax CMattsson AGustavsson TFeist JLönroth E(2019)Maintaining Interoperability in Open Source Software:A Case Study of the Apache PDFBox ProjectJournal of Systems and Software10.1016/j.jss.2019.110452(110452)Online publication date: Oct-2019
https://doi.org/10.1016/j.jss.2019.110452

View Options

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Figures

Tables

Media

View Table of Conten