New 'Shadow Attack' can replace content in digitally signed PDF files

15 out of the 28 biggest desktop PDF viewers are vulnerable, German academics say.

Shadow Attack

Fifteen out of 28 desktop PDF viewer applications are vulnerable to a new attack that lets malicious threat actors modify the content of digitally signed PDF documents.

The list of vulnerable applications includes Adobe Acrobat Pro, Adobe Acrobat Reader, Perfect PDF, Foxit Reader, PDFelement, and others, according to new research [PDF] published this week by academics from the Ruhr-University Bochum in Germany.

shadow-attack-results.png

Image: Mainka et al.

Academics have named this technique of forging documents a Shadow Attack.

The main idea behind a Shadow Attack is the concept of "view layers" -- different sets of content that are overlaid on top of each other inside a PDF document.

A Shadow Attack is when a threat actor prepares a document with different layers and sends it to a victim. The victim digitally signs the document with a benign layer on top, but when the attacker receives it, they change the visible layer to another one.

Because the layer was included in the original document that the victim signed, changing the layer's visibility doesn't break the cryptographic signature and allows the attacker to use the legally-binding document for nefarious actions -- such as replacing the payment recipient or sum in a PDF payment order or altering contract clauses.

shadow-attack-layers-check.png

Replace variant of a Shadow Attack

Image: Mainka et al.

According to the research team three variants of a Shadow Attack exist:

  • Hide -- when attackers use the PDF standard's Incremental Update feature to hide a layer, without replacing it with anything else.
  • Replace -- when attackers use the PDF standard's Interactive Forms feature to replace the original content with a modified value.
  • Hide-and-Replace -- when attackers use a second PDF document contained in the original document to replace it altogether.
shadow-attack-layers.png

Hide-and-Replace variant of a Shadow Attack

Image: Mainka et al.

"The Hide-and-Replace attack variant is the most powerful one since the content of the entire document can be exchanged," the research team says.

"The attacker can build a complete shadow document influencing the presentation of each page, or even the total number of pages, as well as each object contained therein."

Researchers say that Shadow Attacks are possible because PDF documents, even when digitally signed, allow unused PDF objects to be present inside their content.

PDF viewer apps that remove unused PDF objects when signing a document are immune to Shadow Attacks.

Patches are available

The research team said they worked with the CERT-Bund (Computer Emergency Response Team of Germany) to contact PDF app makers to report this new attack vector and have it patched before going public with their findings earlier this week.

The Shadow Attack is currently tracked with the CVE-2020-9592 and CVE-2020-9596 identifiers.

Companies should update their PDF viewer apps to make sure the PDF documents they sign can't be tampered with via a Shadow Attack.

This is the second time that this very same research team has broken digital signatures for PDF viewer applications. In February 2019, the same team broke the digital signing mechanism on 21 of 22 desktop PDF viewer apps and five of seven online PDF digital signing services to create documents with fake signatures.

Their new Shadow Attack is different from their first because it doesn't tamper with the digital signature, as the first attack, but with the content of the PDF without breaking the signature.

In addition, the same research team also discovered PDFex, a technique to break the encryption on 27 PDF viewer applications and extract data from inside encrypted documents.