Portable Document Format (PDF), is this secure or is it something to be suspicious about upon receiving? Jens Müller gave a convincing talk at Black Hat USA 2020, Portable Document Flaws 101, that it is something to think twice about before opening. This article will provide highlights from the insightful talk about the possible PDF-based attacks and the varying security of PDF-readers (purer viewers only and not editors).
The PDF file format is complex with many hidden features, and they are also a common attack vector since we use the file format on an almost daily basis. Therefore, it makes sense for an attacker to use PDF to penetrate computer systems, similar to how macros execute in Microsoft Word. Users need to think twice before opening PDF-files, especially if they are from an unknown sender.
Denial of service
Denial of service (DoS) is possible in two ways: via an infinite loop or a deflate bomb.
Self-referencing objects and elements could perform the Infinite Loop. This option leads to more CPU usage and could crash and freeze the PDF reader. The mechanics of this is similar to the Billion laughs attack.
The second attack was similar to the infamous Zip bomb attack. PDF allows “streams” that need to be decompressed using the Deflate compression algorithm before being processed. An attacker can then use several (up to three) FlatDecode operations. In the end, it is possible to have a 600kb PDF file on disk, which will be 10 gigabytes extracted in RAM. In worst-case scenarios, the operating system could freeze.
These attacks are easily mitigated, and many PDF viewers already have protection against one or both of these attacks. The attacks have been seen before with other parsers, such as XML parsers, so it’s not surprising to see that these issues existed in the PDF file format.
PDF files also have a way of hiding even more severe attacks. Müller performed URL invocation without user interaction, and in this demo, 16 out of 28 PDF readers were shown to be vulnerable. The impact of this attack is privacy issues, as malicious PDFs could leak a user’s IP-address.
In some PDF readers, it was possible to read files stored locally and then send the file’s content to an external website. It’s worth mentioning that some PDF parsers are server-side like a web service, which means this could lead to a Local File Inclusion attack, thus making it possible for attackers to read files on the server.
Because URL invocation is possible, a malicious PDF document could force a user to visit a network share, which then can leak NTLM hashes. The demo gave evidence of this affect on Adobe Reader DC, which consequently let an attacker get hold of the hash and then crack the hash offline or use pass-the-hash attacks.
The most severe vulnerability demoed by Müller was a code execution. This was not done by buffer overflow, but a logical bug. Keep in mind that PDFs allow code execution “by design” if the PDF viewer has implemented it as the standard. This (un)fortunately only affected a few PDF readers.
Recommendation and final thoughts
In the full talk, Müller details how the various PDF viewers have at least one vulnerability that can be exploited by attackers. In Figure 1, you’ll see that the option with the least security risk would be to use a web browser’s built-in PDF-viewer.
Müller’s research shows that not all PDFs can be trusted, especially if a sender is unknown. This is just the tipping point of the possible attacks using PDF file format, and how different viewers interpret PDF files. It would be interesting to see whether similar PDF attacks are scalable with automation.
The Detectify Security Research team attended Black Hat USA 2020 – Virtual this year and will recap a some great research that came out of this event. This is the first post in the series. Stay tuned for more to come!
Keeping up with the fast-pace of web security is a challenge if you are only relying on standard CVE libraries and annual security checks. Detectify works with some of the best ethical hackers in the world to deliver security research and modules from the forefront of security, so you can stay on top of emerging threats. Interested in giving Detectify a go? Start your 14-day free trial today.