Any deployment, no matter its protections, may be exposed to further hacking attacks. Ethical hacking experts have found a way to extract information contained in Portable Document Format (PDF) files encrypted or password-protected.
The group of researchers at Ruhr-Bochum University in Germany published a research entitled “Breaking PDF Encryption”, which reveals two variants of a new attack exposing allegedly protected information in more than 20 PDF readers widely used, such as Adobe Acrobat Reader and the tools included in Chrome and Firefox browsers.
This new attack, dubbed PDFex, exploits some
security oversights in the encryption standard integrated into this format.
According to ethical hacking specialists, this method is not to break the
password of a document, but rather leverages a feature known as “partial
encryption” native to the PDF specification to extract the content after
users interact with the document.
Attackers don’t even need to get a document
password, experts mention. “The PDF format allows you to mix encrypted
text with plain text, allowing you to upload external resources via HTTP to a
file so that the attacker can extract the information when the targeted user
opens the file”, the experts add.
In simpler words, a hacker can alter a password
protected or encrypted PDF so that, when opened, an unencrypted copy of the
file is sent to a remote server under attackers’ control using malicious
JavaScript codes or URL and PDF forms.
Regarding the second variant of the PDFex
attack, attackers use Cipher Block Chaining (CBC) mode to take a piece of
encrypted text in a new encrypted text, a feature known as malleability.
CBC mode uses a special mechanism to encrypt
data, so encryption in each block of text depends on the previous block.
“Only knowing a plain text segment is required to manipulate an encrypted
file,” the ethical hacking experts said.
Most PDF readers analyzed by researchers are
exposed to the two variants of the attack, including Adobe Reader, Foxit
Reader, PDF Studio Viewer and Nitro Reader. In the most severe cases,
PDF readers are vulnerable to both attack variants without the need for user
interaction.
Researchers reported their findings in a timely
manner to the affected companies; in addition, they publicly disclosed an
exploit proof-of-concept for the PDFex attack.
The main cause of these attacks is that
multiple formats (such as XML, S, and PDF) allow users to encrypt only a few
parts of their content. Because of this “adaptability”, threat actors
can inject their own content, which can create the conditions conducive to an
attack like the one depicted in this investigation.
Specialists in ethical hacking from the
International Institute of Cyber Security (IICS) mention that the use of PDF
for malicious purposes shows considerable growth. One of the main attack
techniques is sending malicious PDF files attached in emails. In preventing
this attack variant, specialists recommend stopping using partially encrypted
PDF support, as well as conform to a security policy in which unencrypted
objects cannot access encrypted content.
