PDF Encryption- PDFex can bypass encryption and password protection in most PDF readers and online validation services
Researchers in Germany have invented a new hack that can allow someone to break the encryption of PDF files and access their content — or even forge signed PDF files under certain circumstances.
A team from Ruhr University Bochum, FH Münster University of Applied Sciences and Hackmanit GmbH developed the attack, called PDFex, that can allow an attacker to view the content of a PDF file without the public key or password encrypting it.
The team published a report online detailing the attack, which encompasses two main techniques — one that can break PDF encryption and one that can break PDF signatures. They evaluated the hacks against two types of applications — commonly used desktop applications and online validation services that are more often used by businesses.
PDFex targets encryption supported by the PDF standard rather than protections applied to a PDF document by an external source, researchers said. In their tests, researchers successfully used at least one of their PDFex attacks to access PDF file content in 21 out of 22 desktop-viewer applications, and five out of seven validation services, they said. Popular PDF viewers vulnerable to attacks include Adobe Acrobat, and Chrome and Firefox’s built-in PDF readers.
“PDFex abuses weaknesses in the PDF encryption standard itself to perform targeted manipulations ‘through the encryption’,” said Jens Mueller, security researcher chair for network and data security at Ruhr University Bochum.
For password-protected files, researchers discovered that PDFex allows an attacker to manipulate parts of a PDF file without knowing the corresponding password. However, this can only be done after the person who has the password opens the file, researchers said.
“More precisely, the PDF specification allows the mixing of ciphertexts with plaintexts,” they wrote. “In combination with further PDF features which allow the loading of external resources via HTTP, the attacker can run direct exfiltration attacks once a victim opens the file.”
When a PDF file is encrypted — typically using the Cipher Block Chaining (CBC) encryption mode with no integrity checks, implying ciphertext malleability — researchers said they could create “self-exfiltrating ciphertext parts using CBC malleability gadgets.”
“We use this technique not only to modify existing plaintext but to construct entirely new encrypted objects,” researchers reported.