Dubbed as ‘PDFex’, this new cyber attack can exfiltrate data from encrypted PDF files. Read on to know more about it…
Researchers have detailed a new attack that can exfiltrate data from encrypted Portable Document Format (PDF) files. The new PDFex attack can exfiltrate data from encrypted PDF files.
The attack doesn’t target the encryption applied to a PDF document by external software, but the encryption schemes supported by the Portable Document Format (PDF) standard, itself. The PDF standard supports native encryption so that PDF apps can encrypt files that can be opened by any other app, and prevent user lock-in for one specific PDF software due to the use of shady encryption schemes.
Investigation
The researchers tested the PDFex attack techniques against 27 widely used PDF viewers including Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome and Firefox’s built-in PDF viewers, and found all of them to be vulnerable. The researchers found that an attacker can manipulate an encrypted PDF file, even without knowing the corresponding password.
Variants
Dubbed ‘PDFex’, the attack comes in two technique variants. The two variants of PDFex attack include Direct Exfiltration and CBC Gadgets.
Data Exfiltration: This technique takes advantage of the fact that PDF apps don’t encrypt the entirety of a PDF file, leaving some parts unencrypted. Thus, an attacker can modify the unencrypted field, add unencrypted objects, or wrap encrypted parts into a context controlled by the attacker. This can be done via PDF forms, or hyperlinks, or Javascript codes.
CBC Gadgets: In this technique, attackers use CBC gadgets to exfiltrate plaintext. PDF encryption generally defines no authenticated encryption, therefore, attackers can modify the plaintext data directly within an encrypted object, for example, by prefixing it with an URL.
“This attack has two necessary preconditions:
• Known plaintext: To manipulate an encrypted object using CBC gadgets, a known plaintext segment is necessary. For AESV3 – the most recent encryption algorithm – this plain- text is always given by the Perms entry. For older versions, known plaintext from the object to be exfiltrated is necessary.
• Exfiltration channel: One of the interactive features: PDF Forms or Hyperlinks,” researchers explained.
Working Mechanism
To be noted, the PDFex attacks don’t allow an attacker to know or remove the password for an encrypted PDF; instead, enable attackers to remotely exfiltrate content once a legitimate user opens that document. In other words, PDFex allows attackers to modify a protected PDF document, without having the corresponding password, in a way that when opened by someone with the right password, the file will automatically send out a copy of the decrypted content to a remote attacker-controlled server on the Internet.
PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, this allows anyone to create self-exfiltrating ciphertext parts using CBC malleability gadgets. Most of the data formats allow us to encrypt only parts of the content. This encryption flexibility allows an attacker to include their own content, which can lead to exfiltration channels.
“More precisely, the PDF specification allows the mixing of ciphertexts with plaintexts. In combination with further PDF features which allow the loading of external resources via HTTP, the attacker can run direct exfiltration attacks once a victim opens the file,” researchers described in a blog.
