Attacks on PDF Signatures

We developed three classes of attacks on PDF Signatures. Each attack class abuses a missing signature verification step.

Evaluation

We evaluated our attacks against two types of applications. The typically known desktop applications everyone uses on a daily bases and online validation services. The last one is often used in the business world to validate the signature of a PDF document returning a validation report as a result.

During our research, we identified 21 out 22 desktop viewer applications and 5 out of 7 online validation services vulnerable against at least one of our attacks.

You can find the detailed results of our evaluation on the following web pages:

  1. Desktop Viewer Applications
  2. Online Validation Services

What is the root cause of the problem?

Due to the reason that most analyzed software ist closed source we can only guess, but in our opinion there are 2 main reasons for the successfull attacks:

  1. The specification is very vague about signatures and especially how to validate them.
  2. The analyzed reader are very tolerant about opening, validating and showing malformed PDF files.

PDF association

The association responsible for the standardization of the Portable Document Format issued a statement regarding our findings.