Practical Decryption exFiltration: Breaking PDF Encryption

The Portable Document Format, better known as PDF, is one of the most widely used document formats worldwide, and in order to ensure information confidentiality, this file format supports document encryption. In this paper, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents. First, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Second, we abuse a flaw in the PDF encryption specification to arbitrarily manipulate encrypted content. The only requirement is that a single block of known plaintext is needed, and we show that this is fulfilled by design. Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels which are based on standard compliant PDF properties. We evaluated our attacks on 27 widely used PDF viewers and found all of them to be vulnerable. We responsibly disclosed the vulnerabilities and supported the vendors in fixing the issues.

[1]  Peter Deutsch,et al.  ZLIB Compressed Data Format Specification version 3.3 , 1996, RFC.

[2]  Peter Deutsch,et al.  DEFLATE Compressed Data Format Specification version 1.3 , 1996, RFC.

[3]  Colleen M. Pouliot Adobe Systems , 1998 .

[4]  GoinG DiGitAl Unlocking PDF , 2007 .

[5]  Frédéric Raynal,et al.  Malicious origami in PDF , 2009, Journal in Computer Virology.

[6]  Tibor Jager,et al.  How to break XML encryption , 2011, CCS '11.

[7]  Dan-Sabin Popescu,et al.  Hiding Malicious Content in PDF Documents , 2011, ArXiv.

[8]  Tibor Jager,et al.  Bleichenbacher's Attack Strikes again: Breaking PKCS#1 v1.5 in XML Encryption , 2012, ESORICS.

[9]  Valentin Hamon,et al.  Malicious URI resolving in PDF documents , 2013, Journal of Computer Virology and Hacking Techniques.

[10]  Kenneth G. Paterson,et al.  One Bad Apple: Backwards Compatibility Attacks on State-of-the-Art Cryptography , 2013, NDSS.

[11]  Ping Chen,et al.  A Dangerous Mix: Large-Scale Analysis of Mixed-Content Websites , 2013, ISC.

[12]  Jürgen Fuß,et al.  Cuteforce Analyzer: A Distributed Bruteforce Attack on PDF Encryption with GPUs and FPGAs , 2013, 2013 International Conference on Availability, Reliability and Security.

[13]  Michael B. Jones,et al.  JSON Web Encryption (JWE) , 2015, RFC.

[14]  Jörg Schwenk,et al.  How to Break Microsoft Rights Management Services , 2016, WOOT.

[15]  Matthew Green,et al.  Dancing on the Lip of the Volcano: Chosen Ciphertext Attacks on Apple iMessage , 2016, USENIX Security Symposium.

[16]  Mu Zhang,et al.  Extract Me If You Can: Abusing PDF Parsers in Malware Detectors , 2016, NDSS.

[17]  Jörg Schwenk,et al.  On The (In-)Security Of JavaScript Object Signing And Encryption , 2017, ROOTS.

[18]  Marc Stevens,et al.  The First Collision for Full SHA-1 , 2017, CRYPTO.

[19]  Wouter Joosen,et al.  Who Left Open the Cookie Jar? A Comprehensive Evaluation of Third-Party Cookie Policies , 2018, USENIX Security Symposium.

[20]  Jörg Schwenk,et al.  Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels , 2018, USENIX Security Symposium.

[21]  Jörg Schwenk,et al.  PostScript Undead: Pwning the Web with a 35 Years Old Language , 2018, RAID.

[22]  Jörg Schwenk,et al.  1 Trillion Dollar Refund: How To Spoof PDF Signatures , 2019, CCS.

[23]  Jörg Schwenk,et al.  Re: What's Up Johnny? - Covert Content Attacks on Email End-to-End Encryption , 2019, ACNS.