The PDF specification defines two types of digital signatures:
Approval signatures testify a specific document state. The specification allows the usage of multiple signatures on the same document. Any other change on a signed document leads to an invalidation of the approval signature or warnings in most PDF viewers. Hereafter, we use the terms signature and signed document for approval signatures.
Certification signatures provide a more powerful and flexible mechanism to handle digitally signed documents. During the document’s certification, the owner defines a list of allowed modifications that do not invalidate the document’s certification signature. These allowed modifications can be a subset of the following actions: writing text to specific form fields (even without signing the document), providing annotations to the document, or adding approval signatures. Since a certification signature sets permissions on the entire document, only one certification signature is allowed within a PDF document. This certification signature must also be the first signature in the PDF. Hereafter, we use the terms certification and certified document for certification signatures. You can find more information on certification signatures here.
So what is the problem?
We investigate the following question: How dangerous are permitted changes in certified documents?. To answer this question we systematically analyze the allowed modifications in certified documents and reveal two new vulnerabilities abusing flaws in the PDF specification: Evil Annotation Attack (EAA) and Sneaky Signature Attack (SSA). These vulnerabilities allow an attacker to change the visible content of a PDF document by displaying malicious content over the certified content. Nevertheless, the certification remains valid and the application shows no warnings.
How bad is it?
We evaluated 26 PDF applications and were able to break the security of certified documents in 24 of them. Additionally, we analyzed 26 applications to determine whether the permissions for adding annotations and signatures, as defined in the PDF specification, were implemented correctly. We show that for 11 of 26 applications, a permission mismatch exists.
The detailed results of our study can be found in the Evaluation and in our Paper (S&P’21).
Code Injection Attack on Adobe: Only certified documents may execute high privileged JavaScript code in Adobe products. For example, a high-level JavaScript can call an arbitrary URL without user confirmation to deanonymize a user. Our research reveals that such code is also executed if it is added as an allowed incremental update. We are the first to reveal that this behavior allows attackers to directly embed malicious code into a certified document.
My PDF Reader is not listed
If you use another Reader, you should contact the support team for your application. Alternatively, you can use the provided Exploits to test your application.