Desktop Viewer Applications

Important: You need to trust the certificate which is used to validate the signature; otherwise, the signature validation in the application will be shown as self-signed.

Legend:

- Application is vulnerable to the attack
- Application is not vulnerable to the attack
USF - Universal Signature Forgery CVE-2018-16042
ISA - Incremental Saving Attack CVE-2018-18688
SWA - Signature Wrapping Attack CVE-2018-18689

Windows

Application	Version	USF	ISA	SWA
Adobe Acrobat Reader DC	2018.011, 2019.008.20080	(PoC)
Adobe Reader XI	11.0.10, 11.0.23	(PoC)
eXpert PDF 12 Ultimate	12.0.20			(PoC)
Expert PDF Reader	9.0.180			(PoC)
Foxit Reader	9.1.0, 9.2.0.9297, 9.3.0.10826		(PoC)	(PoC)
LibreOffice (Draw)	6.0.6.2, 6.1.3.2		(conditional) (PoC)
Master PDF Editor	5.1.12, 5.1.68		(PoC)
Nitro Pro	11.0.3.173		(conditional) (PoC)	(PoC)
Nitro Reader	5.5.9.2		(conditional) (PoC)	(PoC)
Nuance Power PDF Standard	3.0.0.17, 3.0.0.30		(PoC)
PDF Architect 6	6.0.37, 6.1.24.1862			(PoC)
PDF Editor 6 Pro	6.4.2.3521	(conditional) (PoC)	(PoC)	(PoC)
PDF Experte 9 Ultimate	9.0.270			(PoC)
PDFelement6 Pro	6.8.0.3523, 6.8.4.3921	(conditional) (PoC)	(PoC)	(PoC)
PDF Studio Viewer 2018	2018.0.1, 2018.2.0		(PoC)	(PoC)
PDF Studio Pro	12.0.7		(PoC)	(PoC)
PDF-XChange Editor	7.0.326, 7.0.237.1			(PoC)
PDF-XChange Viewer	2.5			(PoC)
Perfect PDF 10 Premium	10.0.0.1		(PoC)	(PoC)
Perfect PDF Reader	13.0.3, 13.1.5		(PoC)	(PoC)
Soda PDF Desktop	10.2.09, 10.2.16.1217			(PoC)
Soda PDF	9.3.17			(PoC)

Linux

Application	Version	USF	ISA	SWA
Adobe Acrobat Reader DC	2018.011	(PoC)
Adobe Reader 9	9.5.5
Foxit Reader	9.1.0 , 9.2.0		(PoC)	(PoC)
LibreOffice (Draw)	6.0.3.2 , 6.1.3.2		(conditional) (PoC)
Master PDF Editor	5.1.12, 5.1.68		(PoC)
PDF Studio Viewer 2018	2018.0.1, 2018.2.0		(PoC)	(PoC)
PDF Studio Pro	12.0.7		(PoC)	(PoC)

macOS

Application	Version	USF	ISA	SWA
Adobe Acrobat Reader DC	2018.011,2019.008.20080	(PoC)
Adobe Reader XI	11.0.10, 11.0.23	(PoC)
Foxit Reader	9.1.0 , 9.2.0		(PoC)	(PoC)
LibreOffice (Draw)	6.1.0.3, 6.1.3.2		(conditional) (PoC)
Master PDF Editor	5.1.24, 5.1.68		(PoC)
PDF Editor 6 Pro	6.6.2.3315, 6.7.6.3399	(conditional) (PoC)	(PoC)	(PoC)
PDFelement6 Pro	6.7.1.3355, 6.7.6.3399	(conditional) (PoC)	(PoC)	(PoC)
PDF Studio Viewer 2018	2018.0.1, 2018.2.0		(PoC)	(PoC)
PDF Studio Pro	12.0.7		(PoC)	(PoC)

Download PoCs

You can get all Proof-of-Concept exploits in one tar.gz file via the following link.

Online Validation Services

Please note that we do not provide any exploit, due to the reason that the services are already fixed and thus it would not be possible to test the PoCs against any services.

Legend:

- Application is vulnerable to the attack
- Application is not vulnerable to the attack
USF - Universal Signature Forgery
ISA - Incremental Saving Attack
SWA - Signature Wrapping Attack
- It was not possible to evaluate this services, because we had no pdf document containing a signature which the service would trust.

Online Validation Service	Version	USF	ISA	SWA	Fixed
DocuSign	v1 REST API with PDFKit.NET 18.3.200.9768				not fixed yet
eTR Validation Service	v 2.0.3
DSS Demonstration WebApp	WebApp 5.2				not fixed yet
DSS Demonstration WebApp	WebApp 5.4
Evotrust	12.0.20				not fixed yet
VEP.si	2017-06-26
SiVa Sample Application	release-2.0.1	-	-	-	-

Responsible Disclosure

As part of our research, we started a responsible disclosure procedure after we identified 21 out of 22 desktop viewer applications vulnerable against at least one of our attacks.

In cooperation with the CERT-Bund, the national CERT section of BSI, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues, and three generic CVEs for each attack class were issued: CVE-2018-16042 (USF), CVE-2018-18688, CVE-2018-18689.

Acknowledgements

We would like to thanks the CERT-Bund team for their great support during the responsible disclosure process. We also want to acknowledge the vendor teams which reacted to our report and fixed the vulnerable implementations.