<i>36c3 preroll music</i>

Herald: The next talk is on how to break
PDF's, breaking the encryption and the

signatures, by Fabian Ising and Vladislav
Mladenov. Their talk was accepted at CCS

this year in London and they had that in
November. It comes from research that

basically produced two different kinds of
papers and it has been... people worldwide

have been interested in what has been
going on. Please give them a great round

of applause and welcome them to the stage.

<i>Applause</i>

Vladi: So can you hear me? Yeah. Perfect.
OK. Now you can see the slides. My name is

Vladislav Mladenov, or just Vladi if you
have some questions to me and this is

Fabian. And we are allowed today to talk
about how to break PDF security or more

special about how to break the
cryptography operations in PDF files. We

are a large team from university of
Bochum, Mue nster and Hackmanit GmbH. So as

I mentioned: We will talk about
cryptography and PDF files. Does it work?

Fabian: All right. OK. Let's try that
again. Okay.

Vladi: Perfect. This talk will consist of
two parts. The first part is about

digitally signed PDF files and how can we
recognize such files? If we open them we

see the information regarding that the
file was signed and all verification

procedures were valid. And more
information regarding the signature

validation panel and information about who
signed this file. This is the first part

of the talk and I will present this topic.
And the second part is regarding PDF

encrypted files and how can we recognize
such files? If you tried to open such

files, the first thing you see is the
password prompt. And after entering the

correct password, the file is decrypted
and you can read the content within this

file. If you open it with Adobe,
additional information regarding if this

file is secured or not is displayed
further. And this is the second part of

our talk, and Fabian, will talk: how can
we break the PDA encryption? So before we

start with the attacks on signatures or
encryption, we first need some basics. And

after six slides, you will be experts
regarding PDF files and you will

understand everything about it. But maybe
it's a little bit boring, so be patient:

there are only 6 slides. So the first is
quite easy. PDF files are... the first

specification was in 1993 and almost at
the beginning PDF cryptography operations

like signatures and encryption was already
there. The last version is PDF 2.0 and it

was released in 2017. And according to
Adobe 1.6 billion files are on the web and

perhaps more exchange beyond the web. So
basically PDF files are everywhere. And

that's the reason why we consider this
topic and tried to find or to analyze the

security of the features. If we have some
very simple file and we open it with Adobe

Reader, the first thing we see is, of
course, the content. "Hello, world!" in

this case, and additional information
regarding the focused page and how many

pages this document has. But what would
happen if we don't use a PDF viewer and

just use some text editor? We use the
Notepad++ to open and later manipulate the

files. So I will zoom this thing... this
file. And the first thing we see is that

we can read it. Perhaps it's quite, quite
funny. And but we can still extract some

information of this file. For example,
some information regarding the pages. And

here you can see the information that the
PDF file consists of one page. But more

interesting is that we can see the
content of the file itself. So the lessons

we learned is that we can use a simple
text editor to view and edit PDF files.

And for our attacks, we used only this
text editor. So let's go to the details.

How PDF files are structured and how they
are processed. PDF files consist of 4

parts: header, body and body is the most
important part of the PDF files. The body

contains the entire information presented
to the user. And 2 other sections: Xref

section and trailer. Very important think
about processing PDF files, is that

they're processed not from the top to the
bottom, but from the bottom to the top. So

the first thing is that the PDF viewer
analyses or processes is the trailer. So

let's start doing that. What information
is starting this trailer? Basically, there

are two very important informations. On
the first side this is the information:

what is the root element of this PDF? So
which is the first object which will be

processed? And the second important
information is where the Xref section

starts. It's just a byte offset pointing
to the position of the XRef section within

the PDF file. So this pointer, as
mentioned before, points to the Xref

section. But what is the Xref section
about? The Xref section is a catalog

pointing or holding the information where
the objects defined in the body are

contained or the byte positions of this
object. So how can we read this weird Xref

section? The first information we extract
is that the first object, which is defined

here, is the object with ID 0 and we have
5 further elements or objects which are

defined. So the first object is here. The
first entry is the byte position within

the file. The second is its generation
number. And the last charter points, if

this object is used or not used. So
reading it, reading this Xref section, we

extract the information that the object
with ID 0 is at byte position 0 and is not

in use. So the object with ID 1 is at the
position 9 and so on and so forth. So for

the object with ID 4 and the object number
comes from counting it: 0 1, 2, 3 and 4.

So the object with ID 4 can be found at
the offset 184 and it's in use. In other

words, the PDF viewer knows where each
object will be found and can properly

display it and process it. Now we come to
the most important part: the body, and I

mentioned it that in the body the entire
content which is presented to the user is

contained. So let's see. Object 4 0 is
this one and as you can see, it contains

the word "Hello World". The other objects
are a reference, too. So each pointer

points exactly to the starting position of
each of the objects. And how can we read

this object? You see, we have an object
starting with the ID number, then the

generation number and the word "obj". So
you now know where the object starts

and when it ends. Now how can we process
this body? As I mentioned before in the

trailer, there was a reference regarding
the root element and this element was with

ID 1 and generation number 0. So, we now
we start reading the document here and we

have a catalog and a reference to some
pages. Pages is just a description of all

the pages contained within the file. And
what can we see here is that we have this

number count once or we have only one page
and a reference to the page object which

contains the entire information
inscription of the page. If we have

multiple pages, then we will have here
multiple elements. Then we have one page.

And here we have the contents, which is a
reference to the string we already saw.

Perfect. If you understand this then you
know everything or almost everything about

PDF files. Now you can just use your
editor and open such files and analyze

them. Then we need one feature... I forgot
the last part. The most simple one. The

header. It should just one line stating
which version is used. For example, in our

case, 1.4. For the last version of Adobe
here will be stated 2.0. Now, we need this

one feature called "Incremental Update".
And I call this feature - do you know this

feature highlighting something in the PDF
file or putting some sticky notes?

Technically, it's called "incremental
update." I just call it reviewing master

and bachelor thesis of my students because
this is exactly the procedure I follow. I

just read the text and highlight something
and store the information I put at it.

Technically by putting such a sticky note.
this additional information is appended

after the end of the file. So we have a
body update which contains exactly the

information additionally of the new
objects and of course, new Xref section

and a new trailer pointing to this new
object. Okay, we are done. Considering

incremental update, we saw that it is used
mainly for sticky notes or highlighting.

But we observed something which is very
important because an incremental update we

can redefine existing objects, for
example, we can redefine the object with

ID 4 and put new content. So we replace in
this manner the word "Hello World" with

another sentence and of course the Xref
section and the trailer point to this new

object. So this is very important. With
incremental update we are not stuck to

only adding some highlighting or notes. We
can redefine already existing content and

perhaps we need this for the attacks we
will present. So let's talk about PDF

signatures. First, we need a difference
between electronic signature and digital

signature. Electronic signature. From a
technical point of view, it's just an

image. I just wrote it on my PC and put it
into the file. There is no cryptographic

protection. It could be me lying on the
beach doing something. From cryptographic

point of view is the same. It does not
provide any security, any cryptographic

security. What we will talk about here is
about digitally signed files, so if you

open such files, you have the additional
information regarding the validation about

the signatures and who signed this PDF
file. So as I mentioned before, this talk

will concentrate only on these digitally
signed PDF files. How? What kind of

process is behind digitally signing PDF
files? Imagine we have this abstract

overview of a PDF document. We have the
header, body, Xref section and trailer. We

want to sign it. What happens is that we
take this PDF file and via incremental

update we put additional information
regarding that. There is a new catalog and

more important, a new signature object
containing the signature value and

information about who signed this PDF
file. And of course, there is an Xref

section and trailer. And relevant for you:
The entire file is now protected by the

PDF signature. So manipulations within
this area should not be possible, right?

Yeah, let's talk about this: why it's not
possible and how can we break it? First,

we need an attack scenario. What we want
to achieve as an attacker. We assumed in

our research that the attacker possesses
this signed PDF file. This could be an old

contract, receipt or, in our case, a bill
from Amazon. And if we open this file, the

signature is valid. So everything is
green. No warnings are thrown and

everything is fine. What we tried to do is
to take this file, manipulate it somehow

and then send it to the victim. And now
the victim expects to receive a digitally

signed PDF file, so just tripping the
digital signature is a very trivial

scenario and we did not consider it
because it's trivial. We considered that

the victim expects to see that there is a
signature and it is valid. So no warning

casts are thrown and the entire left side
is exactly the same from the normal

behavior. But on the other side, the
content was exchanged so we manipulated

the receipt and exchanged it with another
content. The question is now: how can we

do it on a technical level? And we came up
with three attacks: incremental saving

attacks, signature wrapping and universal
signature forgery. And I will now

introduce the techniques and how these
attacks are working. The first attack is

the incremental saving attack. So I
mentioned before that via incremental

saving or via incremental updates, we can
add and remove and even redefine already

existing objects and the signature still
stays valid. Why is this happening?

Consider now again our case. We have some
header, body, Xref table and trailer and

the file is now signed and the signature
protects only the signed area. So what

would happen if I put a sticky note or
some highlighting? An incremental update

happens. If I open this file, usually this
happens: We have the information that this

signature is valid, when it was signed and
so on and so forth. So our first idea was

to just put new body updates, redefine
already existing content and with a Xref

table and trailer we point to the new
content. This is quite trivial because

it's a legitimate feature in PDF files, so
we didn't expect to be quite successful

and we were not so successful. But the
first idea: we applied this attack, we

opened it and we got this message. So it's
kind of a weird message because an

experienced user sees valid, but the
document has been updated and you should

know what does this exactly mean. But we
did not consider this attack as successful

because the warning is not the same or the
status of the signature validation is not

the same. So what we did is to evaluate
this first against this trivial case,

against older viewers we have, and Libre
office, for example, was vulnerable

against this trivial attack. This was the
only viewer which was vulnerable against

this trivial variation. But then we asked
ourselves: Okay, the other viewers are

quite secure. But how do they detect these
incremental updates? And from developer

point of view, the laziest thing we can do
is just to check if another Xref table and

trailer were added after the signature was
applied. So we just put our body updates

but just deleted the other two parts. This
is not a standard compliant PDF file. It's

broken. But our hope was that the PDF
viewer fixes this kind of stuff for us and

that these viewers are error-tolerant. And
we were quite successful because the

verification logic just checked: Is there
an Xref table and trailer after the

signature was applied? No? Okay.
Everything's fine. The signature is valid.

No warning was thrown. But then the
application logic saw that incremental

updates were applied and fixed this for us
and processed these body updates and no

warning was thrown. Some of the viewers
required to have a trailer. I don't know

why - it was a Black box testing. So we
just removed the Xref table, but the

trailer was there and we were able to
break further PDF viewers. The most

complex variation of the attack was the
following: We had the PDF viewers checked

if every incremental update contains a
signature object. But they did not check

if this signature is covered by the
incremental update. So we just copy-pasted

the signature which was provided here and
we just forced the PDF viewer to validate

this signed content twice - and still our
body updates were processed and for

example, Foxit or Master PDF were
vulnerable against this type of attack. So

the evaluation of our attack: We
considered as part of our evaluation 22

different viewers - among others, Adobe
with different versions, Foxit, and so on.

And as you can see 11 of 22 were
vulnerable against incremental saving. So

50 percent, and we were quite surprised
because we saw that the developers saw

that incremental updates could be
dangerous regarding the signature

validation. But we were still able to
bypass their considerations. We had - a

full signature bypass means that there is
no possibility for the victim to detect

the attack. A limited signature bypass
means that the victim, if the victim

clicks on one - at least one - additional
window and explicitly wants to validate

the signature, then the viewer was
vulnerable. But the most important thing

is by opening the file, there was a status
message that the signature validation and

all signatures are valid. So this was the
first layer and the viewers were

vulnerable against this. So let's talk
about the second attack class. We called

it "signature wrapping attack" and this is
the most complex attack of the 3 classes.

And now we have to go a little bit into
the details of how PDF signatures are

made. So imagine now we have a PDF file.
We have some header and the original

document. The original document contains
the header, the body, the Xref section and

so on and so forth. And we want to sign
this document. Technically, again, an

incremental update is provided and we have
a new catalog here. We have some other

objects, for example, certificates and so
on and the signature objects. And we will

now concentrate on this signature object
because it's essential for the attack we

want to to carry out. And the signature
object contains a lot of information, but

we want for this attacks only two elements
are relevant: The contents and the byte

range. The contents contains the signature
value. It's a PKCS7 container containing

the signature value and the certificates
used to validate the signature and the

bytes range. The byte range contains four
different values and what how these values

are being used. The first two, A and B
define the first signed area. And this is

here from the beginning of the document
until the start of the signature value.

Why we need this? Because the signature
value is part of the signed area. So we need

to exclude the signature value from the
document computation. And this is how the

bytes range is used. The first part is
from the beginning of the document until

the signed the signature value starts and
after the signature ends until the end of

the file is the second area specified by
the two digits C and D. So, now we have

everything protected besides the signature
value itself. What we wanted to try is to

create additional space for our attacks.
So our idea was to move the second signed

area. And how can we do it? So basically
we can do it by just defining another byte

range. And as you can see here, the byte
range points from area A to B. So this

area we didn't made any manipulation in
this part, right? It was not modified at

all. So it's still valid. And the second
part, the new C value and the next D

bytes, we didn't change anything here,
right? So basically, we didn't changed

anything in the signed area. And the
signature is still valid. But what we

created was a space for some malicious
objects; sometimes we needed some padding

and a new extra section pointing to this
malicious objects. Important thing was

that this malicious Xref sections, the
position is defined by the trailer. And

since we can not modify this trailer, this
position is fixed. So this is the only

limitation of the attack, but it works
like a charm. And the question is now: How

many PDF viewers were vulnerable against
this attack? And as you can see, this is

the signature wrapping column. 17 out of
22 applications were vulnerable against

this attack. This was quite expected
result because the attack was complex we

saw that many developers didn't, were not
aware of this threat and that's the reason

why so many vulnerabilities were there.
Now to the last class of attacks,

universal signature forgery. And we called
it universal signature forgery, but I

preferred to use another definition for
this attacks. I call them stupid

implementation flaws. We are coming from
the PenTesting area and I know a lot of

you are PenTesters, too. And, many of you
have experience, quite interesting

experience with zero bytes, null values or
some kind of weird values. And this is

what we tried in this kind of attacks.
Just tried to do some stupid values or

remove references and see what happen.
Considering the signature, there are two

different important elements: The contents
containing the signature value and the

byte range pointing to what is exactly
signed. So, what would happen if we remove

the contents? Our hope was that the
information regarding the signature is

still shown by the viewer as valid without
validating any signature because it was

not possible. And by just removing the
signature value is quite obvious idea. And

we were not successful with this kind of
attack. But let's proceed with another

values like for example, contents without
any value or contents like equals NULL or

zero bytes. And considering this last
version, we had two viewers which were

vulnerable against this attack. And
another, another case is, for example, by

removing the byte range. By removing this
byte range we have some signature value,

but we don't know what is exactly signed.
So, we tried this attack and of course,

byte range without any value or NULL bytes
or byte range with a minus or negative,

negative numbers. And usually this last
crashed very a lot of viewers. But the

most interesting is that Adobe made this
mistake by just removing the byte range.

We were able to bypass the entire
security. We didn't expect this behavior,

but it was a stupid implementation flaw,
allowing us to do anything in this

document and all the exploits we show in
our presentations were made on Adobe with

this attack. So let's see what were the
results of this attack. As you can see,

only 4 of 22 viewers were vulnerable
against this attack and only Adobe

unlimited; for the others, there was
limitation because if you click on the

signature validation, then a warning was
thrown. It was very easy for Adobe to fix.

And as you can see, Adobe didn't mistake,
made any mistake regarding incremental

saving, a signature wrapping, but
regarding controversial signature forgery.

There were vulnerable against this attack.
And this was the hope of our approach. In

summary, we were able to break 21 of 22
PDF viewers. The only

<i>Applause</i>
Thanks.

<i>Applause</i>
The only secure PDF viewer is Adobe 9,

which is deprecated and has remote code
execution. The only

<i>Laugh</i>
The only users allowed to use them or are

using it are Linux users, because this is
the last version available for Linux and

that's the reason why you consider it. So,
I'm done with the talk about PDF

signatures and now Fabian can talk about
PDF encryption. Thank you.

Fabian: Yes
<i>Applause</i>

OK, now that we have dealt with the
signatures, let's talk about another

cryptographic aspect in PDFs. And that is
encryption. And some of you might remember

our PDFex vulnerability from earlier this
year. It's, of course, an attack with a

logo and it presents two novel tech
techniques targeting PDF encryption that

have never been applied to PDF encryption
before. So one of them is these so-called

direct exfiltration where we break the
cryptography without even touching the

cryptography. So no ciphertext
manipulation here. The second one as so-

called malleability gadgets. And those are
actually targeted modifications of the

ciphertext of the document. But first,
let's take a step back and let again take

some keywords in. So PDF uses AES. OK.
Well, AES is good. Nothing can go wrong,

right? So let's go home. Encryption is
fine. Well, of course, we didn't stop

here, but took a closer look. So they use
CBC mode of operation, so cipher block

chaining. And, what's more important is
that they don't use any integrity

protection. So it's unintegrity protected
AES-CBC. And you might remember the

scenario from the attacks against
encrypted e-mail, so against OpenPGP and

S-MIME, it's basically the same problem.
But first, who actually uses PDF

encryption? You might ask. For one, we
found some local banks in Germany use

encrypted PDFs as a drop-in replacement
for S-MIME or OpenPGP because their

customers might not want to deal with uhm,
set, with the setup of encrypted e-mail.

Second one, were some drop-in plugins for
encrypt e-mail as well. So there are some

companies out there that produce product
that you can put into your outlook and you

can use encrypted PDF files instead of
encrypted email. We also found that some

scanners and medical devices were able to
send encrypted PDF files via e-mail. So

you can set a password on that machine and
they will send the encrypted PDF via

e-mail and you have to put in the
password some other way. And lastly, we

found that some governmental organizations
use encrypted PDF documents, for example,

the US Department of Justice allows for
the send, sending in some claims via

encrypted PDFs. And I've exactly no idea
how you how they get the password, but at

least they allow it. So as we are from
academia, let's take a step back and look

at our attacker model. So we've got Alice
and Bob. Alice wants to send a document to

Bob. And she wants to send it over an
unencrypted channel or a channel she

doesn't trust. So of course, she decides
to encrypt it. Second scenario is, they

want to upload it to a shared storage. For
example, Dropbox or any other shared

storage. And of course, they don't trust
the storage. So, again, they use end-to-

end encryption. So let's assume that this
shared storage is indeed dangerous or

malicious. So, Alice will, of course,
again upload the encrypted document to the

attacker in this case, will perform some
targeted modification of that, and will

send the modified documents back to Bob,
who will happily put in the password

because from his point of view, it's
undistinguishable from the original

document and the original plain text will
be leaked back to the attacker, breaking

the confidentiality. So let's take a look
at the first attack on how we did that.

That's the direct exfiltration, so
breaking the cryptography without touching

any cryptography, as I like to say. But
first, encryption in, in a nutshell, PDF

encryption. So you have seen the structure
of the PDF document. There is a header

with a version number. There's a body
where all the interesting objects live. So

there is our confidential content that we
want to actually, well, to actually

exfiltrate as an attacker. And finally,
there is Xref table and the trailer. So

what changes if we decide to encrypt this
document? Well, actually, not a whole lot.

So instead of confidential data, of
course, there's now some encrypted

ciphertext. Okay. And the rest pretty much
remains the same. The only thing that is

added is a new value in the trailer that
tells us how to decrypt this data again.

So there's pretty much of the structure
left unencrypted. And we thought about:

Why is this? And we took a look at the
standard. So, this is an excerpt from the

PDF specification and I've highlighted the
interesting parts for you. Encryption is

only applied to strings and streams. Well,
those of the values that actually can

contain any text in the document and all
other objects are not encrypted. And that

is because, well, they want to allow
random access to the whole document. So no

parsing the whole document before actually
showing page 16 of the encrypted document.

Well, that seems kind of reasonable. So,
but that also means that the whole

documents structure is unencrypted and
only the streams and strings are

encrypted. This reveals a lot of
information to an attacker that he or she

shouldn't have probably. That's for one
the number and size of pages, that's the

number and size of objects in the document
and that's also including any links, so

any hyperlinks in document that are
actually there. So, that's a lot of

information an attacker probably shouldn't
have. So, next we thought maybe we can do

some more stuff. Can we add our own
unencrypted content? And we took a look at

the standard again and found that our so-
called crypt filters, which provide finer

granularity control of the encryption.
This basically means as an attacker, I can

change a document to say, hey, only
strings in this document are encrypted and

streams are unencrypted. That's what the
identity filter is for. I have no idea why

they decided to add that to a document
format, but it's there. So that means

their support for partial encryption and
that means attackers content can be mixed

with actual encrypted content. And we
found 18 different techniques to do that

in different readers. So there is a lot of
ways to do that in the different readers.

So let's have a look at a demo. So we have
this document, this encrypted document, we

put in our password and get our secret
message. We now open it again in a text

editor. We see, in object 4 0 down here,
there's the actual ciphertext of the

object, so of the message, and we see it's
AES encrypted, with a 32 byte key, so it's

AES-256. OK. Now we decide to add a new
object that contains, well, plaintext.

And, well, we simply add that to the
contents array of this document. So, we

say "Display this on the first page", save
the document. We open it, and we'll put in

our password and, oh well, this is indeed
awkward. OK. So, now, we have broken the

integrity of an encrypted document. Well,
you might think maybe they didn't want any

integrity in the encrypted files. Maybe
that's the use case people have, I don't

know. But we thought, maybe we can somehow
exfiltrate the plaintext this way. So

again, we took a step back, and looked at
the PDF specification. And the first thing

we found were so-called submit-form
actions. And that's basically the same as

a form on a website. You can put in data.
You might have seen this in a contract, in

a PDF contract, where you can put in your
name, and your address, and so on, and so

on, and the data that is saved inside of
that is saved in strings and streams. And

now remember that is everything that is
encrypted in a document. And, of course,

you can also send that back to an
attacker, or well, to a legitimate use

case, of course, via clicking a button,
but clicking buttons is pretty lame. So we

again looked at the standard and found the
so-called open action. And that is an

action, for example, submitting a form
that can be performed upon opening a

document. So how might this look? This is
how a PDF form looks, already with the

attack applied. So, we've got an URL here
that is unencrypted, because all strings

in this document are unencrypted, and
we've got the value object 2 O, where the

actual encrypted data lives. So, that is
the value of the form fields. And what

will happen on the attacker side as soon
as this document is opened? Well, we'll

get a post request with a confidential
content. Let's have a demo. Again, we have

this document. We put in our password.
It's the original document you have

already seen. We reopen it in a text
viewer, or a text editor, again see it's

encrypted, and we decide to change all
strings to the identity filter. So, no

encryption is applied to strings from now
on. And then we add a whole blob of

information for the open action, and for
the form. So this will be op- this will be

performed, as soon as the document is
opened. There is a URL, p.df, and the

value is the encrypted object 4 0. We
start an HTTP server on the domain we

specified, we open the document, put in
the password again, and as soon as we open

the document Adobe will helpfully show us
a warning, but they will already click the

button for remembering that for the
future. And if you accept that, you will

see your secret message on the attacker
server. And that is pretty bad already.

OK. The same works for hyperlinks, so, of
course, there are links in PDF documents,

and as on the Web, we can define a base
URL for hyperlinks. So we can say all URLs

from this document start with http://p.df.
And of course we can define any object as

a URL. So any object we prepared this way
can be sent as a URL, and that will, of

course, trigger a GET request upon opening
the document again, if you defined an open

action for the same object. So again,
pretty bad and breaks confidentiality. And

of course, everybody loves JavaScript in
PDF files, and that works as well. Okay.

Let's talk about ciphertext attacks, so
actual cryptographic attacks, no more not

touching the crypto. So you might remember
the efail attacks on OpenPGP and S/MIME,

and those had basically three
prerequisites. 1: Well, ciphertext

malleability, so it's called malleability
gadgets. That's why we need ciphertext

malleability, and we've got no integrity
protection, that's a plus. Then we need

some known plaintext for actual targeted
modifications. And we need an exfiltration

channel to send the data back to an
attacker. Well, exfiltration channels are

already dealt with as we have hyperlinks
and forms. So we can already check that.

Nice. Let's talk about ciphertext
malleability, or what we call gadgets. So,

some of you might remember this from
crypto 101, or whatever lecture you ever

had on cryptography. This is the
decryption function of CBC, so cipher

block chaining. And it's basically, you've
got your ciphertext up here, and your

plaintext down here. And it works by
simply decrypting a block of ciphertext,

XORing the previous block of ciphertext
onto that, and you'll get the plaintext.

So what happens, if you decide to change a
single bit in the ciphertext, for example,

the first bit of the initialization
vector? Well, that same bit will flip in

the actual plaintext. Wait a second. What
happens, if you happen to know a whole

plaintext block? Well, we can XOR that
onto the first block, and basically get

all zeros, or what we call a gadget, or a
blank sheet of paper, because we can write

on that by taking a chosen plaintext and
XORing that onto this results. And this

way we can, for example, construct URLs in
the actual ciphertext, or in the actual

resulting plaintext. What we can also do
with these gadget is, gadgets is moving

them somewhere else in the document,
cloning them, so we can have multiple

gadgets, at multiple places in the
ciphertext. But remember, if you do that,

there's always the avalanche effect of
CBC, so you will have some random bytes in

here, but the URL still remains in place.
Okay. That's ciphertext malleability done.

As I've said we need some plaintext. We
need to have some known plaintext. And as

the PDF standard has been pretty helpful
up until now, in breaking PDF encryption,

let's take a look again. And what we found
here: Permissions. So a PDF documents can

have different permissions for the author,
and the user of the document. This

basically means the author can edit the
document and the users might not be able

to do that. And of course, people started
to change with that- started to tamper

with that value, if it was left
unencrypted, so in the newest version, it

was decided this should be encrypted as a
16 byte value. So we've got 16 bytes. How

do they look? Well, at first, we need room
for extension. We need lots of

permissions. Then we put 4 bytes of the
actual permission value - That is also in

unencrypted form in document. Then we need
one byte for encrypted metadata, and for

some reason we need some acronym, "adb",
I'll leave it to you to figure out what

that stands for. And finally, we've got
four random bytes, because we have to fill

up 16 bytes, and we have run out of ideas.
Okay. We take all of that, encrypt it, and

oh well, we know a lot of that, and that
is basically known plaintext by design.

Which is bad. Let's look at how this looks
in a document. So, you see the perms

value, I've marked it down here. That is
the actual extended value I've shown you

on the last slide. And above that you'll
see the unencrypted value that's inside

this perms value, so the minus 4 in this
case, it's basically a bit field. On the

right side you see the actual encrypted
contents, and helpfully, all of this is

encrypted under the same document-wide key
in the newest version of the

specification. And that means we can you
reuse this plaintext anywhere in the

document we want, and we can reuse this
to build gadgets. To sum that last point

up for you: Adobe decided to add
permissions to the PDF format, and people

thought of tampering with them. So they
decided to encrypt these permissions to

prevent tampering, and now known plaintext
is available to attackers. All right. So

that's basically all of the prerequisites
done, and let's again have a demo. So, we

again open this document, put in our
password, well, as soon as Chrome decides

to open this document, we put in our
password. It's the same as before. Now,

I've prepared a script for you, because I
really can't do this live, and it

basically does what I've told you. It's
getting a blank gadget from the perms

value. It's generating a URL from that.
It's generating a field name, so that it

will look nice on the server side, we
regenerate this document and put a form in

there. We start a web server, open this
modified document, put in the password

again and oh well, Chrome doesn't even
ask. So as soon as this document is opened

in Chrome and the password is put in,
we'll get our secret message delivered to

the attacker.
<i>Applause</i>

So we took a look at 27 viewers and found
all of them vulnerable to at least one of

our attacks. So some of them work with no
user interaction as we have seen in

Chrome. Some work with user interaction in
specific cases, as you've seen with Adobe

with a warning, but generally all of these
were attackable in one way or the other.

So what can be done about all of this?
Well, you might think signatures might

help. That's usually the first point
people bring up: "A signature on the

encrypted file will help." Well, no, not
really. Why is that? Well, for one, a

broken signature does not prevent opening
the document. So we'll still be able to

exfiltrate as soon as a password is put
in. Signatures can be stripped because

they're not encrypted. And as you have
seen before, they can also be forged in

most viewers. Signatures are not the
answer. Closing exfiltration channels is

also not the answer because for one, it's
hard to do. And how would you even find

all exfiltrations channels in an 800 pages
standard? And I mean, we have barely

scratched the surface of exfiltration
channels. And should we really remove

forms and hyperlinks from documents? And
should we remove JavaScript? OK, maybe we

should. And finally, if you have to do
that, please ask the user before

connecting to a web server. So let's look
at some vendor reactions. Apple decided to

do exactly what I've told you: to add a
dialog to warn the user and even show the

whole URL with the encrypted plaintext.
And Google decided to stop trying to fix

the unfixable in Chrome. They fixed the
automatic exfiltration, but there's really

nothing they can do about the standard. So
this is a problem that has to be done in

the standard. And that is basically that.
For mitigating wrapping attacks, we have

to deprecate partial encryption and
disallow access from unencrypted to

encrypted objects. And against the gadget
attacks, we have to use authenticated

encryption like AES-GCM. OK. And Adobe has
told us that they were escalating this to

the ISO working group that's now
responsible for the PDF standard and this

will be taken up in the next revision. So
that's a win in my book.

<i>Applause</i>

Herald: Thank you so much, guys. That was
really awesome. Please queue up by the

microphones if you have any questions, we
still have some time left for Q and A. But

I think your research is really, really
interesting because it opens my mind to

like how would this actually be able to be
misused in practice? Like, and I don't

know, like, what's your take? I guess
since you've been working so much with

this, you must have some kind of idea as
to what devious things you could come up

with.
Fabian: I mean, it's still an attacker

scenario that requires a lot of resources
and a very motivated attacker. So this

might not be very important to the normal
user. Let's be real here. So most of us

are not targeted by the NSA, I guess. So
you need an active attacker, an active man

in the middle to actually perform these
attacks.

Herald: Great. Thank you. And then I think
we have a question from microphone number

four, please.
Microphone 4: Yes. You'll said that the

next standard might have a fix.
Do you know a time frame on how long it

takes to build such a standard?
Fabian: Well, no, we don't really know. We

have talked with Adobe and they told us
they will show the next version of the

standard to us before actually releasing
that, but we have no time frame at all

from them.
Microphone 4: OK. Thank you.

Herald: Thank you.
Microphone number five, please.

Microphone 5: Thank you for a very
interesting talk. You showed in the first

part that the signature has like these
four numbers with the byte range. And why

is this, like four numbers, not part of a
signature? Is there a technical reason for

that? Because the byte offset is
predictable.

Vladi: It is! The bytes ranges protected
by the signature. But we just defined the

second one and just moved the signed one
to be validated later. So there are two

byte ranges. But only the first one, the
manipulated one, will be processed.

Microphone 5: Thank you.
Herald: Thank you so much. Microphone

number four, please.
Microphone 4: Oh, this is way too high for

me. OK. I have an answer and a question
for you. You mentioned during the talk

that you weren't sure how the Department
of Justice did distributes the passwords

for encrypting PDFs. The answer is: in
plain text, in a separate email or as the

password of the week, which is distributed
through various means. That is also what

the Department of Homeland Security does,
and the military is somewhat less stupid.

As a question: I have roughly a half
terabyte of sensitive PDFs that I would

like to scan for your attack and also for
redaction failures. Do you know of any

fast, feasible ways to scan documents for
the presence of this kind of attack?

Fabian: I don't know of any tools, but I
mean, scanning for the gadget attacks is

actually possible if you tried to do some
entropy detection. So, because you reuse

ciphertext, you will have less entropy in
your ciphertext, but that's pretty hard to

do. Direct exfiltration should probably be
detectable by scanning simply for words

like "identity". Well, beyond that, 18
different techniques that we provided in

the paper. But I don't know of any tools
to do that automatically.

Microphone 4: Thank you.
Herald: Great. Thank you. And microphone

number two, please. Microphone 2: Thank
you for your very interesting

presentation. I have one suggestion and
one question for the mitigation scheme. If

you simply run your PDF reader in a
virtual machine, that is firewalled away,

so your firewall won't led you to anybody
going out. But for the signature

forgeries, I had an idea. I'm not sure if
this is actually a stupid idea, but did

you consider faking the certificate?
Because presumably the signature is

protected by the seller's certificate. You
make up your own, signing with that. Does

it catch it and how?
Vladi: We considered it but not in this

paper. We assume that the certificate and
the entire chain of trust for this path is

totally secure. It was just an assumption
to just concentrate only on the attacks we

already found. So, perhaps there will be
further research provided by us in the

next months and years.
Herald: We might just hear more from you

in the future. Thank you so much. And now
questions from the Internet, please.

Signal Angel: I have two questions to the
first part of your talk from the Internet.

The first one is you mentioned a few
reactions, but can you give a bit more

detail about your experience with vendors
while reporting these issues?

Vladi: Yeah. We, ... for the first time we
started, we asked the CERT team from BSI,

CERT-Bund, to help us because there were a
lot of affected vendors and we were not

able to provide the support in a feasible
way. So they supported us the entire way.

We first created the report with,
containing the exact description of the

vulnerabilities and old exploits. Then, we
distributed it to the BSI and they

contacted the vendors and just proxied to
the communication and there was a lot of

communication. So I'm not aware of the
entire communication, but only about the

technical stuff where we were asked to
just retest the fix and so on. So there

was some reaction from Adobe, FoxIt and a
lot of viewers reacted on our attacks and

contacted us, but not everybody.
Herald: Thank you so much. Unfortunately,

that's the only time that we have
available for questions today. I think you

guys might stay around for a couple of
minutes, just if someone has any more

questions. Fabian, I thank ... and
Vladislav, not enough. Thank you so much.

It was very interesting. Please give them
a great round of applause.

Valdi: Thank you.
<i>Applause</i>

<i>36c3 postroll music</i>

subtitles created by c3subtitles.de
in the year 2019. Join, and help us!