Contract killer: Certified PDFs can be secretly tampered with during the signing process, boffins find

24 out of 26 tools vulnerable – with bonus JavaScript attack for Adobe


A pair of techniques to surreptitiously alter the content of certified PDFs have been detailed by researchers in Germany.

The upshot is that someone could digitally add their signature to a PDF of, say, a contract, pass the file to a partner to digitally sign, and that second person could sneakily alter the contract's text as well as sign it, creating confusion down the line. While the addition of the second signature would be permitted, the tampering of the text should be detected and flagged up by application software – unless the second person uses the aforementioned techniques.

The exploits, dubbed Evil Annotation and Sneaky Signature, are detailed in a paper [PDF] and website by Ruhr University Bochum's Simon Rohlmann, Dr Vladislav Mladenov, Dr Christian Mainka, and Professor Jörg Schwenk. The team were due to present their work at the 42nd IEEE Symposium on Security and Privacy, taking place online this week.

Their discovery would be a boon to scammers, and while the developers of major PDF-generation applications, such as Adobe, Libreoffice, and Foxit, have now patched their code to thwart the techniques, the makers of minor PDF tools have been slower to respond.

Using certified PDFs is increasingly common in business. The creator of such a document can allow some content changes, such as adding a digital signature or side notes, without tripping any alarms. However, the team found that some of these annotation fields can be manipulated to introduce new material and change the meaning of the text.

With the Evil Annotation attack, the boffins found three annotations – FreeText, Redact, and Stamp – could be subverted to allow images or new text to be inserted into a document without the creator being aware. "All three can be used to stealthily modify a certified document and inject malicious content," their paper explained. "In addition, 11 out of 28 annotations are classified as medium since an attacker can hide content within the certified document."

For documents where the annotations that are allowed to be added are more limited, Sneaky Signature comes into play. The second person to sign the document can do so, and then use that process to add additional information. That is to say, rather than abuse annotations, the signing process is exploited.

"If a certified document is opened in a common PDF application, signatures can only be added to free signature fields provided by the certifier. Adding empty signature fields is normally no longer possible within the application," the paper states.

"However, the specification does not prohibit adding empty signature fields to a certified document. By using frameworks like Apache PDFBox2, empty signature fields can be placed anywhere in the document and filled with arbitrary content."

The researchers tested 26 popular PDF tools, and found 24 of them were vulnerable to either both of the flaws or just one. The only viewers to get a clean bill of health for this issue were PDF Editor 6 Pro and PDFelement Pro.

The techniques described aren't perfect: the alterations can be later discovered when the PDF files are compared, though by that point, whatever fraud was planned may have been successfully pulled off. In the case of someone inserting new payment details into an invoice or contract to siphon off funds, the money may be long gone by that point.

As a dark bonus, the team also found a security weakness that specifically hit Adobe products. This could be exploited to embed malicious code in documents with no warning to the recipient, thanks to Adobe's JavaScript policies.

"Only certified documents may execute high privileged JavaScript code in Adobe products," they said. "The attack is not limited to calling up a website but can execute any high privileged JavaScript code. The only requirement is that the victim fully trusts the certificate used to certify the PDFdocument."

Adobe fixed this issue in the start of November following responsible disclosure of the flaw. Many of the other tested applications have also been patched, although some vendors haven't responded – you can see the full list here. Make sure you're up to date with your applications, if you can. ®


Other stories you might like

  • Alcatel-Lucent Enterprise adds Wi-Fi 6E to 'premium' access points
    Company claims standard will improve performance in dense environments

    Alcatel-Lucent Enterprise is the latest networking outfit to add Wi-Fi 6E capability to its hardware, opening up access to the less congested 6GHz spectrum for business users.

    The France-based company just revealed the OmniAccess Stellar 14xx series of wireless access points, which are set for availability from this September. Alcatel-Lucent Enterprise said its first Wi-Fi 6E device will be a high-end "premium" Access Point and will be followed by a mid-range product by the end of the year.

    Wi-Fi 6E is compatible with the Wi-Fi 6 standard, but adds the ability to use channels in the 6GHz portion of the spectrum, a feature that will be built into the upcoming Wi-Fi 7 standard from the start. This enables users to reduce network contention, or so the argument goes, as the 6GHz portion of the spectrum is less congested with other traffic than the existing 2.4GHz and 5GHz frequencies used for Wi-Fi access.

    Continue reading
  • Will Lenovo ever think beyond hardware?
    Then again, why develop your own software à la HPE GreenLake when you can use someone else's?

    Analysis Lenovo fancies its TruScale anything-as-a-service (XaaS) platform as a more flexible competitor to HPE GreenLake or Dell Apex. Unlike its rivals, Lenovo doesn't believe it needs to mimic all aspects of the cloud to be successful.

    While subscription services are nothing new for Lenovo, the company only recently consolidated its offerings into a unified XaaS service called TruScale.

    On the surface TruScale ticks most of the XaaS boxes — cloud-like consumption model, subscription pricing — and it works just like you'd expect. Sign up for a certain amount of compute capacity and a short time later a rack full of pre-plumbed compute, storage, and network boxes are delivered to your place of choosing, whether that's a private datacenter, colo, or edge location.

    Continue reading
  • Intel is running rings around AMD and Arm at the edge
    What will it take to loosen the x86 giant's edge stranglehold?

    Analysis Supermicro launched a wave of edge appliances using Intel's newly refreshed Xeon-D processors last week. The launch itself was nothing to write home about, but a thought occurred: with all the hype surrounding the outer reaches of computing that we call the edge, you'd think there would be more competition from chipmakers in this arena.

    So where are all the AMD and Arm-based edge appliances?

    A glance through the catalogs of the major OEMs – Dell, HPE, Lenovo, Inspur, Supermicro – returned plenty of results for AMD servers, but few, if any, validated for edge deployments. In fact, Supermicro was the only one of the five vendors that even offered an AMD-based edge appliance – which used an ageing Epyc processor. Hardly a great showing from AMD. Meanwhile, just one appliance from Inspur used an Arm-based chip from Nvidia.

    Continue reading

Biting the hand that feeds IT © 1998–2022