Shadow Attacks: Hiding and Replacing Content in Signed PDFs

Abstract

Digitally signed PDFs are used in contracts and invoices to guarantee the authenticity and integrity of their content. A user opening a signed PDF expects to see a warning in case of any modification. In 2019, Mladenov et al. revealed various parsing vulnerabilities in PDF viewer implementations. They showed attacks that could modify PDF documents without
invalidating the signature. As a consequence, affected vendors of PDF viewers implemented countermeasures preventing all attacks.
This paper introduces a novel class of attacks, which we call shadow attacks. The shadow attacks circumvent all existing
countermeasures and break the integrity protection of digitally signed PDFs. Compared to previous attacks, the shadow attacks do not abuse implementation issues in a PDF viewer. In contrast, shadow attacks use the enormous flexibility provided by the PDF specification so that shadow documents remain standard-compliant. Since shadow attacks abuse only legitimate features,they are hard to mitigate.
Our results reveal that 16 (including Adobe Acrobat and Foxit Reader) of the 29 PDF viewers tested were vulnerable
to shadow attacks. We introduce our tool PDF-Attacker which can automatically generate shadow attacks. In addition, we
implemented PDF-Detector to prevent shadow documents from being signed or forensically detect exploits after being applied to signed PDFs.