
How to Spoof PDF Signatures - furcyd
https://web-in-security.blogspot.com/2019/02/how-to-spoof-pdf-signatures.html
======
IgorPartola
Cool. So it seems like PDF signatures are broken by design, not just
implementation. If you can just append unsigned content to a signed PDF, you
are toast.

Interestingly, Adobe has created a cottage industry of certificate providers
and has strict security requirements like use of HSMs to prevent private keys
from being exposed. As you can imagine, these certificates are stupidly
expensive for what they do.

~~~
rauhl
> Cool. So it seems like PDF signatures are broken by design, not just
> implementation. If you can just append unsigned content to a signed PDF, you
> are toast.

I don’t know that I’d say that. Seems like it'd be useful behaviour to be able
to make post-signature modifications so long as it’s clear what they are.

As a concrete example, it’s the obvious way to implement a documented
contractual negotiation: party A drafts a contract & signs it, then party B
makes modifications & signs the bundle of (original contract, signature,
modifications), then party A countersigns party B’s modifications & signature,
indicating acceptance.

Or maybe I’m missing something?

~~~
arethuza
I seem to remember that you could amend a signed PDF and add stuff to add a
white rectangle over something you want to change (e.g. a pass/fail entry) and
then stick in the new text over the rectangle.

The original text was there, and hadn't been modified so the signature was
still valid, but the superficial appearance of the document was misleading
even if it was possible to identify the tampering if you knew what to do
(which I suspect 99.9% of people reading PDFs would never bother doing).

~~~
rauhl
Yeah, that would be bad — hence my proviso ‘so long as it’s clear what [the
post-signature modifications] are.’

If modifications aren’t clearly called out, then that’s a (bad) bug in the
viewer.

~~~
arethuza
I think that's where certification was supposed to come in (its been 10+ years
since I worked with this stuff so my recollection is a bit vague) - you create
the main structure of the document and then lock that down with certification
and allow people to complete existing fields, including adding signatures.

------
ggambetta
> President Bill Clinton enacted a federal law facilitating the use of
> electronic and digital signatures in interstate and foreign commerce by
> ensuring the validity and legal effect of contracts. _He approved the eSign
> Act by digitally signing it._ (emphasis mine)

Am I the only one bothered by the fact that there's a bug in that procedure?
Before he signed the act, digitally signing wasn't legal, and the act doesn't
become law until it's signed, so... I understand why they did this, but as an
engineer, I find this problematic XD

~~~
mfoy_
Or maybe it's a neat, built-in, self-destruct sequence for the law. i.e. The
law is only valid if we're confident it's his signature. As soon as digital
signatures are proven insecure, we can no longer be certain the act was
signed, therefore it's not law.

Probably not the case, and just a PR gimmick, but still. I like to dream. :)

------
nbevans
It seems the issues are two fold:

1\. PDF file format doesn't support a "whole document signature" as a concept.
Instead, it only supports signing arbitrary fragments of the document.

2\. PDF tooling/software doesn't warn the user when a PDF contains some signed
and some unsigned fragments. Or where fragments have been signed with
different certificates.

I think that is the gist of it?

~~~
dunham
So, the document is a catalog of numbered objects. Think dictionaries and
lists. The objects point to other objects and there is a table of contents
near the end of the file showing where to find everything.

To be backwards compatible, the signature is one of these objects.

1\. It's a whole document signature, but you can't sign the signature because
you don't have it yet. So you have to leave a hole for the signature data.

2\. The specification for where this hole is (/ByteRange) should be in the
signed data, some viewers do not appear to be verifying this.

So they're sticking a fake byte range on the signature, extending the hole
enough to cover said fake byte range and additional objects (modified pages)
and a fake table of contents (at the original offset from beginning of the
file).

I'm describing one of the exploits as I understand it.

To further complicate things, you can modify pdf files by appending more
objects and a new TOC at the end. Think of this as append-only versioning.

Historically this is used for editing (giving you a revision history) or form
filling (adding the text you typed in), but it also is used to add additional
signatures. (You have to add to the already signed document if you want a
second person to sign it.)

A signature on Version 2 of a file would encompass the entire file including
the embedded Version 1 and its signature.

Readers like acrobat can show you each version of file. And they can show you
the version of the file as a given person signed it.

------
nneonneo
A bunch of universities are now releasing their _official_ academic
transcripts as signed PDFs, which I think is a very clever approach. The
signatures have proper trusted certificates issued by major CAs, which makes
verifying them very easy.

If you can spoof the signatures, well, now we can have people saying they got
4.0 GPAs from Stanford with legitimate signatures and all...

~~~
throwawaymath
And yet, wouldn't any sane verifier just call up the school...?

------
leni536
Having the POC pdf files would be interesting (together with a plain invalidly
signed pdf). I don't even know if these pdf readers check signatures: okular,
evince, mupdf, qpdfview, sumatra.

~~~
hannob
POC files: [https://www.pdf-
insecurity.org/signature/viewer.html](https://www.pdf-
insecurity.org/signature/viewer.html)

And most of the readers you mention don't support signature verification - so
they're perfectly secure from this attack ;-)

~~~
leni536
pdfsig from poppler-utils is vulnerable to SWA. I expect any poppler based pdf
readers (that actually bothers with signatures) to have the same
vulnerability.

edit: mutool sign is also vulnerable to SWA.

------
florz
While this research is, as some have pointed out, mostly about implementation
deficiencies in signature checking code, I want to point to my own earlier
research that shows that the PDF standard is actually also inherently broken,
as the method that is used to transform the document into the byte sequence
that is fed into the signature mechanism is not reversible:

[https://pdfsig-collision.florz.de/](https://pdfsig-collision.florz.de/)

So, please don't think it's just a problem of incompetent implementations.
Yes, these newly-found vulnerabilities are embarrassing and shouldn't have
happened, regardless how terrible the standard is, but just implementing the
standard correctly (as far as that is even possible, given how vague it is in
many regards, lacking a formal grammar and all that) won't result in
cryptographically sound signatures.

------
purell_hack
@angealbertini does a lot of cool work in this area. Check out this repo with
examples of hash collisions for PDF, MP4, PNG, GIF, etc.
[https://github.com/corkami/collisions](https://github.com/corkami/collisions)

------
burtonator
We actually find some PDF signature collisions in the wild in Polar
([https://getpolarized.io/](https://getpolarized.io/)).

One user found that a few of the documents he added conflicted with the
signature of other PDFs.

I knew that the PDF signature wasn't strong but didn't think we would actually
have real world conflicts.

We're already moving to SHA256 of the raw binary data instead of the
fingerprint for newer documents added to your repository.

We're going to use the actual strong hashcode to enable "distributed"
annotations so that two people annotating the same document can easily
discover each other and share comments, highlights, flashcards, etc.

I'm pretty damn excited about this feature actually.

~~~
tialaramex
Your link doesn't seem to have any such "PDF signature collisions", it's just
a link to some product you're presumably hawking.

The article ("How to Spoof PDF Signatures") doesn't find any collisions or
similar cryptographic weakness. Instead, as you'd expect, what they found was
that software doesn't actually implement the cryptography very well. So what
is in principle a perfectly good secure signature system can be "spoofed". If
you use fixed software, the problem goes away.

------
u801e
It seems that this wouldn't be an issue if they had made the signature a
separate file and had it hard coded to check the entire pdf file.

~~~
coldacid
Or if at least it checked the whole file and just treated the exact block of
signature bytes within as a set value (like Authenticode).

------
mabey
I am looking into how to implement pdf signing with certificates for a side
project I am trying to turn into a business (think signing an offer letter).
can anyone point me to some good resources for learning more? I have only a
basic understanding of cryptography. or if you'd be willing to chat sometime
id really appreciate it.

~~~
estsauver
HelloSign has a pretty nice workflow!

NaCL/Libsodium is a very highly regarded crypto library.

------
expopinions
The Digital Signature of a message is based on the content of the message and
the private key of the signer. Therefore a digital Signature is bound to a
particular user and a specific message.

So, If I copy your digital signature and attach with my message, the receiver
(relying party) would be able to (instantly) determine (through a PKI enabled
Application) that I have not signed the message.

~~~
IgorPartola
I don't think you read the article.

------
almostarockstar
It's hard to take a post like this seriously with so many spelling errors.

~~~
apetresc
Or with statements like "We are quite familiar with the security of message
formats like XML and JSON."

~~~
rcfox
Perhaps XML and JSON are secure by virtue of the fact that their built-in
security features can never be broken.

