German academics have developed a new attack that can extract and steal data from encrypted PDF files, sometimes without user interaction.

Named PDFex, the new attack comes in two variations and was successfully tested against 27 desktop and web PDF viewers, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome and Firefox's built-in PDF viewers.

The attack doesn't target the encryption applied to a PDF document by external software, but the encryption schemes supported by the Portable Document Format (PDF) standard, itself.

The PDF standard supports native encryption so that PDF apps can encrypt files that can be opened by any other app, and prevent user lock-in for one specific PDF software due to the use of shady encryption schemes.

However, a team of six academics from Ruhr-University Bochum and FH Münster University in Germany, have discovered issues with the PDF standard's encryption support.

"Our attacks allow the recovery of the entire plaintext of encrypted documents by using exfiltration channels which are based on standard-compliant PDF properties," the research team said.

PDFex variation #1

Researchers say that encrypted PDF documents are vulnerable to two attack types. The two variations don't have special names, but are known by the method they use to carry out the attack and exfiltrate data.

The first one -- called "direct exfiltration" -- takes advantage of the fact that PDF apps don't encrypt the entirety of a PDF file, leaving some parts unencrypted.

Image: Müller et al.

The research team says that an attacker can tamper with these unencrypted fields and create a booby-trapped PDF file that when decrypted and opened will attempt to send the file's content back to an attacker.

This can be achieved in three ways:

by altering a PDF file's plaintext data to add a PDF form that auto-submits the PDF's content to an attacker's server when the victim decrypts and opens an encrypted PDF; by altering a PDF file's plaintext data to add a link that automatically triggers when the victim decrypts and opens an encrypted PDF; by altering a PDF file's plaintext data to add JavaScript code that automatically runs when the victim decrypts and opens an encrypted PDF.

Of the three "direct exfiltration" PDFex attacks, the first one is the easier to perform and most efficient, as it doesn't require user interaction. The second one requires opening an external browser, an action that a user could prevent.

The third is the less reliable method, mainly because many PDF apps limit JavaScript support because of other security risks with having PDF files run JS code in the background.

PDFex variation #2

The second PDFex attack variation doesn't go after the unencrypted pieces of a PDF file, but after the ones that are encrypted. It does this by using CBC gadgets. These are pieces of code that run against encrypted content and modify the plaintext data at its source.

"CBC gadgets means that the ciphertext is modified to exfiltrate itself after decryption," said Sebastian Schinzel, one of the PDFex researchers, on Twitter.

This works because a) the PDF standard allows a mix of plaintext and encrypted content b) it defines no authentication method for encryption (i.e. not MAC) and c) it allows fetching content from and posting content to remote HTTP servers. #PDFex 6/n — Sebastian Schinzel (@seecurity) September 30, 2019

Just like with the first, there are three smaller variations of a PDFex CBC gadget attack as well. The first two are identical as in the first attack.

An attacker can use a CBC gadget to modify the encrypted content so that they create boobytrapped PDF files that submit their own content to remote servers via PDF forms or URLs.

The third CBC gadget attack relies on modifying a legitimate PDF object stream (compressed data) in a malicious way, so again, the PDF file submits its content to a remote server after it's been decrypted and opened in a vulnerable PDF viewer app.

PDFex results

"Our evaluation shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks," the research team said.

Image: Müller et al.

"These alarming results naturally raise the question of the root causes for practical decryption exfiltration attacks. We identified two of them," researchers said.

"First, many data formats allow to encrypt only parts of the content (e.g., XML, S/MIME, PDF). This encryption flexibility is difficult to handle and allows an attacker to include their own content, which can lead to exfiltration channels.

"Second, when it comes to encryption, AES-CBC - or encryption without integrity protection in general - is still widely supported. Even the latest PDF 2.0 specification released in 2017 still relies on it," the research team added.

"This must be fixed in future PDF specifications."

All of these attacks require that an attacker be in a position to modify encrypted PDF files. This includes a position to intercept the victim's network traffic or having physical access to a storage system (such as device inspections at an airport, accessing an employee's workstation while he's away, and more).

However, saying that these are criteria that diminish the PDFex's usability is wrong. It's exactly these situations that encryption was supposed to protect against, making PDFex a major vulnerability in the PDF standard.

The research team worked with Germany's CERT team and notified all affected PDF software makers, and all have released updates to prevent PDFex attacks.

Previous work

The six-man research team will be presenting their findings at the ACM Conference on Computer and Communications Security in mid-November.

More details about this research can be found on in a white paper titled "Practical Decryption exFiltration: Breaking PDF Encryption," this blog post, or on the PDF Insecurity website.

Back in February, this same team of academics proved that digital signatures didn't work as intended on most desktop PDF viewers.

They are also behind the EFAIL attack, which found vulnerabilities in the end-to-end encryption technologies OpenPGP and S/MIME that are used for email encryption.