A team of German academics have developed a new attack method capable of extracting and stealing data from encrypted PDF files.
The new attack, called PDFex, comes in two variations and in testing, it was successfully able to steal data from PDFs in 27 desktop and web PDF readers including Adobe Acrobat, Foxit Reader, Nitro and from Chrome and Firefox’s built-in PDF viewers.
PDFex doesn’t actually target the encryption used on PDF documents by external software. Instead the attack targets the encryption schemes used by the Portable Document Format (PDF) which means all PDFs are vulnerable regardless of the software used to view them.
While the PDF standard supports native encryption, a team of six academics from Ruhr-University Bocum and Münster University in Germany found issues with the standard’s encryption support and leveraged these to create PDFex.
According to a blog post published by the researchers, encrypted PDF documents are vulnerable to two attacks types that are known by the method used to carry out the attack and exfiltrate data.
The first, known as “direct exfiltration” uses the fact that PDF software doesn’t encrypt the entirety of a PDF file and actually leaves some parts unencrypted. By tampering with these unencrypted fields, an attacker can create a booby-trapped PDF file that will attempt to send the file’s content back to an attacker when decrypted and opened.
The second PDFex attack variation focuses on the parts of a PDF file that are encrypted. By using CBC gadgets, an attacker can modify the plaintext data stored in a PDF at its source. This means that an attacker can use a CBC gadget to modify the encrypted content to create booby-trapped PDF files that submit their own content to remote servers using PDF forms or URLs.
All of the different variations of PDFex require than an attack be able to modify user’s encrypted PDF files. However, to do this they would have to intercept a victim’s network traffic or have physical access to their devices or storage.
All in all, PDFex is a major vulnerability in the PDF standard and the research team behind the new attack will be presenting their findings at the ACM Conference on Computer and Communications Security next month.
Also Publish AT: http://www.techradar.com/news/pdf-files-posing-a-major-security-risk-again