Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <eec1e835-fd6c-5c7c-25b8-5684ce8efafc@rub.de>
Date: Tue, 1 Oct 2019 10:48:07 +0200
From: Jens Müller <jens.a.mueller@....de>
To: oss-security@...ts.openwall.com
Subject: PDFex: Security weakness in PDF encryption

TL;DR In the scope of academic research at Ruhr University Bochum and
Münster and University of Applied Sciences, Germany, two severe flaws
in the PDF encryption standard have been discovered, which both lead
to full plaintext exfiltration in an active-attacker scenario.

* Website, including proof-of-concept exploits: pdf-insecurity.org
* Paper: pdf-insecurity.org/download/paper-pdf_encryption-ccs2019.pdf


*How to break PDF Encryption*
-----------------------------
To guarantee confidentiality, PDF files can be encrypted. This enables
the secure transfer and storing of sensitive documents without any
further protection mechanisms. The key management between the sender and
recipient may be password based (the recipient must know the password
used by the sender, or it must be transferred to them through a secure
channel) or public key based (i.e., the sender knows the X.509
certificate of the recipient). In this research, we analyze the security
of encrypted PDF documents and show how an attacker can exfiltrate the
content without having the corresponding keys.


*So what is the problem?*
-------------------------
The security problems known as "PDFex" can be summarized as follows:

* 1. Even without knowing the corresponding password, the attacker
possessing an encrypted PDF file can manipulate parts of it. More
precisely, the PDF specification allows the mixing of ciphertexts with
plaintexts. In combination with further PDF features which allow the
loading of external resources via HTTP, the attacker can run direct
exfiltration attacks once a victim opens the file.

* 2. PDF encryption uses the Cipher Block Chaining (CBC) encryption mode
with no integrity checks, which implies ciphertext malleability. This
allows an attacker to create self-exfiltrating ciphertext using CBC
malleability gadgets. We use this technique not only to modify existing
plaintext but to construct entirely new encrypted objects.


*How bad is it?*
---------------
In order to measure the impact of the vulnerabilities in the PDF
specification, we analyzed 27 widely used PDF viewers. We found 23 of
them (85%) to be vulnerable to direct exfiltration attacks and all of
them to be vulnerable to CBC gadgets. You can find the detailed results
of our evaluation below.

Application           Version tested   Direct Exfiltration  CBC Gadgets
-----------------------------------------------------------------------
Adobe Acrobat DC      2019.008.20081   [XX]                 [X]
Foxit Reader          9.2.0.9297       [X]                  [X]
PDF-XChange Viewer    2.5.322.9        [XX]                 [X]
Perfect PDF Reader    8.0.3.5          [XX]                 [XX]
PDF Studio Viewer     2018.1.0         [XX]                 [XX]
Nitro Reader          5.5.9.2          [X]                  [XX]
Acrobat Pro DC        2017.011.30127   [XX]                 [X]
Foxit PhantomPDF      9.5.0.20723      [X]                  [X]
PDF-XChange Editor    7.0.326.1        [XX]                 [X]
Perfect PDF Premium   10.0.0.1         [XX]                 [XX]
PDF Studio Pro        12.0.7           [XX]                 [XX]
Nitro Pro             12.2.0.228       [XX]                 [XX]
Nuance Power PDF      3.0.0.17         [XX]                 [X]
iSkysoft PDF Editor   6.4.2.3521       [X]                  [X]
Master PDF Editor     5.1.36           [XX]                 [XX]
Soda PDF Desktop      11.0.16.2797)    [X]                  [X]
PDF Architect         7.0.23.3193      [X]                  [X]
PDFelement            6.8.0.3523       [X]                  [X]
-----------------------------------------------------------------------
Preview               3.32.0           -                    [X]
Skim                  1.4.37           -                    [X]
-----------------------------------------------------------------------
Evince                10.0.944.4       [X]                  [X]
Okular                1.7.3            [X]                  [X]
MuPDF                 1.14.0           [X]                  [X]
-----------------------------------------------------------------------
Chrome                70.0.3538.67     [XX]                 [XX]
Firefox               66.0.2           -                    [X]
Safari                11.0.3           -                    [X]
Opera                 57.0.3098.106    [XX]                 [XX]
-----------------------------------------------------------------------
       [XX] | Insecure: Exfiltration (no user interaction)
        [X] | Insecure: Exfiltration (with user interaction)
         -  | Secure: No exfiltration / not vulnerable


*How can I protect myself?*
---------------------------
We strictly followed the responsible disclosure procedure by reporting
the results on 17th of May 2019. In cooperation with the BSI-CERT, we
contacted all vendors, provided proof-of-concept exploits, and helped
them to mitigate the issues.


*Who uses PDF Encryption?*
--------------------------
PDF encryption is deployed in many areas to securely exchange
confidential information via the Internet. Various medical IT systems
and devices are capable, for example, of encrypting and transferring
medical records as PDF files. MFPs also provide PDF encryption to
protect scanned documents. In business environments, emails are
sometimes sent as encrypted PDF documents when other encryption methods
are not available (e.g., various organizations use special gateways to
automatically encrypt email messages as encrypted PDF attachments).

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.