What’s the matter?
Researchers have detailed a new attack that can exfiltrate data from encrypted Portable Document Format (PDF) files. Dubbed ‘PDFex’, the attack comes in two technique variants.
The researchers tested the PDFex attack techniques against 27 widely used PDF viewers including Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome and Firefox's built-in PDF viewers, and found all of them to be vulnerable.
“More precisely, the PDF specification allows the mixing of ciphertexts with plaintexts. In combination with further PDF features which allow the loading of external resources via HTTP, the attacker can run direct exfiltration attacks once a victim opens the file,” researchers described in a blog.
Two attack techniques
The two variants of PDFex attack include Direct Exfiltration and CBC Gadgets.
In this technique, attackers use CBC gadgets to exfiltrate plaintext. PDF encryption generally defines no authenticated encryption, therefore, attackers can modify the plaintext data directly within an encrypted object, for example, by prefixing it with an URL.
“This attack has two necessary preconditions: