skip to main content
10.1145/3319535.3339812acmconferencesArticle/Chapter ViewAbstractPublication PagesccsConference Proceedingsconference-collections
research-article

1 Trillion Dollar Refund: How To Spoof PDF Signatures

Published: 06 November 2019 Publication History

Abstract

The Portable Document Format (PDF) is the de-facto standard for document exchange worldwide. To guarantee the authenticity and integrity of documents, digital signatures are used. Several public and private services ranging from governments, public enterprises, banks, and payment services rely on the security of PDF signatures.
In this paper, we present the first comprehensive security evaluation on digital signatures in PDFs. We introduce three novel attack classes which bypass the cryptographic protection of digitally signed PDF files allowing an attacker to spoof the content of a signed PDF. We analyzed 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit. We additionally evaluated eight online validation services and found six to be vulnerable. A possible explanation for these results could be the absence of a standard algorithm to verify PDF signatures -- each client verifies signatures differently, and attacks can be tailored to these differences. We, therefore, propose the standardization of a secure verification algorithm, which we describe in this paper.
All findings have been responsibly disclosed, and the affected vendors were supported during fixing the issues. As a result, three generic CVEs for each attack class were issued [50-52]. Our research on PDF signatures and more information is also online available at https://www.pdf-insecurity.org/.

References

[1]
Adobe. 2018. Adobe Fast Facts. https://www.adobe.com/about-adobe/fast-facts.html
[2]
Ange Albertini. 2014. This PDF is a JPEG; or, This Proof of Concept is a Picture of Cats. PoC 11 GTFO 0x03 (2014). https://www.alchemistowl.org/pocorgtfo/pocorgtfo03.pdf
[3]
PDF association. 2018. PDF in 2016: Broader, deeper, richer. https://www.pdfa.org/pdf-in-2016-broader-deeper-richer/
[4]
USENIX Association. 2018. Board of Directors Out of Band Motion. https://www.usenix.org/sites/default/files/2017-01_out-of-band_motion_signed.pdf
[5]
Francesco Buccafurri. 2005. Digital Signature Trust vulnerability: A new attack on digital signatures. Information Management & Computer Security, Vol. 4 (2005), 28--6. http://www.unirc.it/firma/en/Buccafurri_ISSA_1008.pdf
[6]
Curtis Carmony, Xunchao Hu, Heng Yin, Abhishek Vasisht Bhaskar, and Mu Zhang. 2016. Extract Me If You Can: Abusing PDF Parsers in Malware Detectors. In NDSS .
[7]
European Commission. 2018. DSS Demonstration WebApp v5.3.1. https://ec.europa.eu/cefdigital/wiki/display/CEFDIGITAL/DSS
[8]
Igino Corona, Davide Maiorca, Davide Ariu, and Giorgio Giacinto. 2014. Lux0r: Detection of malicious pdf-embedded javascript code through discriminant analysis of api references. In Proceedings of the 2014 Workshop on Artificial Intelligent and Security Workshop. ACM, 47--57.
[9]
Inc. DocuSign. 2018. DocuSign Validation Service. https://validator.docusign.com/
[10]
EIUS doo. 2018. VEP E-obrazci. https://www.vep.si/validator/forms/document-verify
[11]
eesti. 2018. SiVa Demo application. https://siva-arendus.eesti.ee/
[12]
Evrotrust. 2018. Validate a signature. https://www.evrotrust.com/landing/en/a/validation
[13]
FeaturedCustomers. 2018. DocuSign Customer. https://www.featuredcustomers.com/vendor/docusign/customers
[14]
Agency for Digital Italy. 2018. DSS Demonstration WebApp v5.2. https://dss.agid.gov.it/validation
[15]
Forbes. 2018. Forbes Releases 2017 Cloud 100 List of the Best Private Cloud Companies in the World. http://bit.ly/dokusign-forbesrank
[16]
Gertjan Franken, Tom Van Goethem, and Wouter Joosen. 2018. Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies. In 27th USENIX Security Symposium (USENIX Security 18). USENIX Association, Baltimore, MD, 151--168. https://www.usenix.org/conference/usenixsecurity18/presentation/franken
[17]
Bundesministerium für Digitalisierung und Wirtschaftsstandort. 2019. E-Government-Gesetz (E-GovG). https://www.ris.bka.gv.at/GeltendeFassung/Bundesnormen/20003230/E-GovG%2c%20Fassung%20vom%2004.02.2019.pdf
[18]
Ian Grigg. 2008. Technologists on signatures: looking in the wrong place. http://financialcryptography.com/mt/archives/001056.html
[19]
Ian Grigg. 2012. Signatures on fax & email - if you did not intend to be bound, why did you bother to write it? http://financialcryptography.com/mt/archives/001364.html
[20]
Arhs Group. 2018. Ellis Digital Signature. https://ellis.arhs-spikeseed.com/
[21]
Adobe Systems Incorporated. 2006. PDF Reference, version 1.7 sixth edition ed.).
[22]
Alexander1 Inführ. 2014. Multiple PDF Vulnerabilities -- Text and Pictures on Steroids. https://insert-script.blogspot.de/2014/12/multiple-pdf-vulnerabilites-text-and.html
[23]
Alexander Inführ. 2015. PDF -- Mess with the Web. https://2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-infuhr.pdf
[24]
Alexander2 Inführ. 2018. Adobe Reader PDF - Client Side Request Injection. https://insert-script.blogspot.de/2018/05/adobe-reader-pdf-client-side-request.html
[25]
K Kain, Sean W Smith, and R Asokan. 2002. Digital signatures and electronic documents: A cautionary tale. In Advanced communications and multimedia security. Springer, 293--307. http://www.ists.dartmouth.edu/library/74.pdf
[26]
Pavel Laskov and Nedim vS rndić. 2011. Static detection of malicious JavaScript-bearing PDF documents. In Proceedings of the 27th annual computer security applications conference. ACM, 373--382.
[27]
Gianluca Lax, Francesco Buccafurri, and Gianluca Caminiti. 2015. Digital document signing: Vulnerabilities and solutions. Information Security Journal: A Global Perspective, Vol. 24, 1--3 (2015), 1--14.
[28]
Davide Maiorca, Davide Ariu, Igino Corona, and Giorgio Giacinto. 2015. A structural and content-based approach for a precise and robust detection of malicious pdf files. In 2015 International Conference on Information Systems Security and Privacy (ICISSP). IEEE, 27--36.
[29]
Davide Maiorca and Battista Biggio. In Press. Digital Investigation of PDF Files: Unveiling Traces of Embedded Malware. IEEE Security and Privacy: Special Issue on Digital Forensics ( In Press). https://pralab.diee.unica.it/sites/default/files/maiorca17-sp.pdf
[30]
Davide Maiorca, Giorgio Giacinto, and Igino Corona. 2012. A pattern recognition system for malicious pdf files detection. In International Workshop on Machine Learning and Data Mining in Pattern Recognition. Springer, 510--524.
[31]
Ian Markwood, Dakun Shen, Yao Liu, and Zhuo Lu. 2017. PDF Mirage: Content Masking Attack Against Information-Based Online Services. In 26th USENIX Security Symposium (USENIX Security 17), (Vancouver, BC). 833--847.
[32]
Michael McIntosh and Paula Austel. 2005. XML signature element wrapping attacks and countermeasures. In SWS '05: Proceedings of the 2005 Workshop on Secure Web Services. ACM Press, New York, NY, USA, 20--27.
[33]
Tim McLean. 2015. Blog post: Critical vulnerabilities in JSON Web Token libraries. https://www.chosenplaintext.ca/2015/03/31/jwt-algorithm-confusion.html
[34]
Vladislav Mladenov, Christian Mainka, Meyer zu Selhausen, Martin Grothe, and Jörg Schwenk. 2018. Vulnerability Report: Attacks bypassing the signature validation in PDF. Technical Report. Ruhr Univeristy Bochum, Chair for Network and Data Security. https://www.nds.ruhr-uni-bochum.de/research/publications/vulnerability-report-attacks-bypassing-signature-v/
[35]
United States Government Printing Office. 2000. ELECTRONIC SIGNATURES IN GLOBAL AND NATIONAL COMMERCE ACT. https://www.govinfo.gov/content/pkg/PLAW-106publ229/pdf/PLAW-106publ229.pdf
[36]
Dan-Sabin Popescu. 2012. Hiding Malicious Content in PDF Documents. CoRR, Vol. abs/1201.0397 (2012). arxiv: 1201.0397 http://arxiv.org/abs/1201.0397
[37]
F. Raynal, G. Delugré, and D. Aumaitre. 2010. Malicious Origami in PDF. Journal in Computer Virology, Vol. 6, 4 (2010), 289--315. http://esec-lab.sogeti.com/static/publications/08-pacsec-maliciouspdf.pdf
[38]
RUNDFUNK UND TELEKOM REGULIERUNGS-GMBH. 2018. RTR - Signatur-Prüfung. https://www.signatur.rtr.at/de/vd/Pruefung.html
[39]
Check Point Research. 2018. NTLM Credentials Theft via PDF Files. https://research.checkpoint.com/ntlm-credentials-theft-via-pdf-files/
[40]
Billy Rios, Federico Lanusse, and Mauro Gentile. 2013. Adobe Reader Same-Origin Policy Bypass. http://www.sneaked.net/adobe-reader-same-origin-policy-bypass
[41]
Charles Smutz and Angelos Stavrou. 2012. Malicious PDF detection using metadata and structural features. In Proceedings of the 28th annual computer security applications conference. ACM, 239--248.
[42]
Juraj Somorovsky, Andreas Mayer, Jörg Schwenk, Marco Kampmann, and Meiko Jensen. 2012. On Breaking SAML: Be Whoever You Want to Be. In 21st USENIX Security Symposium. Bellevue, WA.
[43]
Nedim Srndić and Pavel Laskov. 2016. Hidost: a static machine-learning-based detector of malicious files. EURASIP Journal on Information Security, Vol. 2016, 1 (2016), 22.
[44]
Tomás Stefan. 2017. Digital Signature Verification in PDF. https://dspace.cvut.cz/bitstream/handle/10467/76810/F8-BP-2018-Stefan-Tomas-thesis.pdf'sequence=-1
[45]
Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, and Yarik Markov. 2017. The first collision for full SHA-1. In Annual International Cryptology Conference. Springer, 570--596.
[46]
Liang Tong, Bo Li, Chen Hajaj, and Yevgeniy Vorobeychik. 2017. Feature Conservation in Adversarial Classifier Evasion: A Case Study. CoRR, Vol. abs/1708.08327 (2017). https://pdfs.semanticscholar.org/f1f8/6dbd8b39c9601e6315214783343ca18377b4.pdf
[47]
Liang Tong, Bo Li, Chen Hajaj, Chaowei Xiao, and Yevgeniy Vorobeychik. 2017. A Framework for Validating Models of Evasion Attacks on Machine Learning, with Application to PDF Malware Detection. arXiv preprint arXiv:1708.08327 (2017). https://arxiv.org/pdf/1708.08327.pdf
[48]
European Union. 2014. REGULATION (EU) No 910/2014 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32014R0910
[49]
H. Valentin. 2012. Malicious URI resolving in PDF Documents. Blackhat Abu Dhabi (2012).
[50]
Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk",. 2018. CVE-2018--16042 (Universal Signature Forgery).
[51]
Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk",. 2018. CVE-2018--18688 (Incremental Saving Attack).
[52]
Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe and Jörg Schwenk",. 2018. CVE-2018--18689 (Signature Wrapping Attack).
[53]
Wikipedia. 2019. Electronic signatures and law. https://en.wikipedia.org/wiki/Electronic_signatures_and_law
[54]
Michal Zalewski. 2012. The tangled Web: A guide to securing modern web applications. No Starch Press.

Cited By

View all
  • (2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
  • (2023)DISV: Domain Independent Semantic Validation of Data Files2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00020(163-174)Online publication date: May-2023
  • (2022)Research Report: Strengthening Weak Links in the PDF Trust Chain2022 IEEE Security and Privacy Workshops (SPW)10.1109/SPW54247.2022.9833889(152-167)Online publication date: May-2022
  • Show More Cited By

Recommendations

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences
CCS '19: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
November 2019
2755 pages
ISBN:9781450367479
DOI:10.1145/3319535
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 06 November 2019

Permissions

Request permissions for this article.

Check for updates

Author Tags

  1. pdf
  2. pdf security
  3. pdf signatures

Qualifiers

  • Research-article

Funding Sources

  • European Commission
  • Excellence Strategy of the Federal and State Governments

Conference

CCS '19
Sponsor:

Acceptance Rates

CCS '19 Paper Acceptance Rate 149 of 934 submissions, 16%;
Overall Acceptance Rate 1,261 of 6,999 submissions, 18%

Upcoming Conference

CCS '25

Contributors

Other Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

  • Downloads (Last 12 months)65
  • Downloads (Last 6 weeks)4
Reflects downloads up to 28 Feb 2025

Other Metrics

Citations

Cited By

View all
  • (2023)Every signature is brokenProceedings of the 32nd USENIX Conference on Security Symposium10.5555/3620237.3620652(7411-7428)Online publication date: 9-Aug-2023
  • (2023)DISV: Domain Independent Semantic Validation of Data Files2023 IEEE Security and Privacy Workshops (SPW)10.1109/SPW59333.2023.00020(163-174)Online publication date: May-2023
  • (2022)Research Report: Strengthening Weak Links in the PDF Trust Chain2022 IEEE Security and Privacy Workshops (SPW)10.1109/SPW54247.2022.9833889(152-167)Online publication date: May-2022
  • (2022)Intelligent Web-Application for Countering DDoS Attacks on Educational InstitutionsBiologically Inspired Cognitive Architectures 202110.1007/978-3-030-96993-6_18(182-194)Online publication date: 25-Mar-2022
  • (2020)On the Verification of Signed MessagesApplied Cryptography and Network Security Workshops10.1007/978-3-030-61638-0_23(417-434)Online publication date: 14-Oct-2020
  • (2020)BibliographySecurity Engineering10.1002/9781119644682.biblio(1061-1141)Online publication date: 2-Dec-2020
  • (2019)Practical Decryption exFiltrationProceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security10.1145/3319535.3354214(15-29)Online publication date: 6-Nov-2019
  • (2019)Maintaining Interoperability in Open Source Software:A Case Study of the Apache PDFBox ProjectJournal of Systems and Software10.1016/j.jss.2019.110452(110452)Online publication date: Oct-2019

View Options

Login options

View options

PDF

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Figures

Tables

Media

Share

Share

Share this Publication link

Share on social media