Tuesday, April 14, 2020

How To Spoof PDF Signatures

One year ago, we received a contract as a PDF file. It was digitally signed. We looked at the document - ignoring the "certificate is not trusted" warning shown by the viewer - and asked ourselfs:

"How do PDF signatures exactly work?"

We are quite familiar with the security of message formats like XML and JSON. But nobody had an idea, how PDFs really work. So we started our research journey.

Today, we are happy to announce our results. In this blog post, we give an overview how PDF signatures work and on top, we reveal three novel attack classes for spoofing a digitally signed PDF document. We present our evaluation of 22 different PDF viewers and show 21 of them to be vulnerable. We additionally evaluated 8 online validation services and found 6 to be vulnerable.

In cooperation with the BSI-CERT, we contacted all vendors, provided proof-of-concept exploits, and helped them to fix the issues and three generic CVEs for each attack class were issued: CVE-2018-16042CVE-2018-18688CVE-2018-18689.


Full results are available in the master thesis of Karsten Meyer zu Selhausen, in our security report, and on our website.

Digitally Signed PDFs? Who the Hell uses this?

Maybe you asked yourself, if signed PDFs are important and who uses them.
In fact, you may have already used them.
Have you ever opened an Invoice by companies such as Amazon, Sixt, or Decathlon?
These PDFs are digitally signed and protected against modifications.
In fact, PDF signatures are widely deployed in our world. In 2000, President Bill Clinton enacted a federal law facilitating the use of electronic and digital signatures in interstate and foreign commerce by ensuring the validity and legal effect of contracts. He approved the eSign Act by digitally signing it.
Since 2014, organizations delivering public digital services in an EU member state are required to support digitally signed documents, which are even admissible as evidence in legal proceedings.
In Austria, every governmental authority digitally signs any official document [§19]. In addition, any new law is legally valid after its announcement within a digitally signed PDF.
Several countries like Brazil, Canada, the Russian Federation, and Japan also use and accept digitally signed documents.
According to Adobe Sign, the company processed 8 billion electronic and digital signatures in the 2017 alone.

Crash Course: PDF and PDF Signatures

To understand how to spoof PDF Signatures, we unfortunately need to explain the basics first. So here is a breef overview.

PDF files are ASCII files. You can use a common text editor to open them and read the source code.

PDF header. The header is the first line within a PDF and defines the interpreter version to be used. The provided example uses version PDF 1.7. 
PDF body. The body defines the content of the PDF and contains text blocks, fonts, images, and metadata regarding the file itself. The main building blocks within the body are objects. Each object starts with an object number followed by a generation number. The generation number should be incremented if additional changes are made to the object.
In the given example, the Body contains four objects: Catalog, Pages, Page, and stream. The Catalog object is the root object of the PDF file. It defines the document structure and can additionally declare access permissions. The Catalog refers to a Pages object which defines the number of the pages and a reference to each Page object (e.g., text columns). The Page object contains information how to build a single page. In the given example, it only contains a single string object "Hello World!".
Xref table. The Xref table contains information about the position (byte offset) of all PDF objects within the file.
Trailer. After a PDF file is read into memory, it is processed from the end to the beginning. By this means, the Trailer is the first processed content of a PDF file. It contains references to the Catalog and the Xref table.

How do PDF Signatures work?

PDF Signatures rely on a feature of the PDF specification called incremental saving (also known as incremental update), allowing the modification of a PDF file without changing the previous content.
 
As you can see in the figure on the left side, the original document is the same document as the one described above. By signing the document, an incremental saving is applied and the following content is added: a new Catalog, a Signature object, a new Xref table referencing the new object(s), and a new Trailer. The new Catalog extends the old one by adding a reference to the Signature object. The Signature object (5 0 obj) contains information regarding the applied cryptographic algorithms for hashing and signing the document. It additionally includes a Contents parameter containing a hex-encoded PKCS7 blob, which holds the certificates as well as the signature value created with the private key corresponding to the public key stored in the certificate. The ByteRange parameter defines which bytes of the PDF file are used as the hash input for the signature calculation and defines 2 integer tuples: 
a, b : Beginning at byte offset a, the following b bytes are used as the first input for the hash calculation. Typically, a 0 is used to indicate that the beginning of the file is used while a b is the byte offset where the PKCS#7 blob begins.
c, d : Typically, byte offset c is the end of the PKCS#7 blob, while c d points to the last byte range of the PDF file and is used as the second input to the hash calculation.
    According to the specification, it is recommended to sign the whole file except for the PKCS#7 blob (located in the range between a b and c).

    Attacks

    During our research, we discovered three novel attack classes on PDF signatures:

    1. Universal Signature Forgery (USF)
    2. Incremental Saving Attack (ISA)
    3. Signature Wrapping Attack (SWA)

    In this blog post, we give an overview on the attacks without going into technical details. If you are more interested, just take a look at the sources we summarized for you here.

    Universal Signature Forgery (USF)

    The main idea of Universal Signature Forgery (USF) is to manipulate the meta information in the signature in such a way that the targeted viewer application opens the PDF file, finds the signature, but is unable to find all necessary data for its validation.

    Instead of treating the missing information as an error, it shows that the contained signature is valid. For example, the attacker can manipulate the Contents or ByteRange values within the Signature object. The manipulation of these entries is reasoned by the fact that we either remove the signature value or the information stating which content is signed.
    The attack seems trivial, but even very good implementations like Adobe Reader DC preventing all other attacks were susceptible against USF.

    Incremental Saving Attack (ISA)



    The Incremental Saving Attack (ISA) abuses a legitimate feature of the PDF specification, which allows to update a PDF file by appending the changes. The feature is used, for example, to store PDF annotations, or to add new pages while editing the file.

    The main idea of the ISA is to use the same technique for changing elements, such as texts, or whole pages included in the signed PDF file to what the attacker desires.
    In other words, an attacker can redefine the document's structure and content using the Body Updates part. The digital signature within the PDF file protects precisely the part of the file defined in the ByteRange. Since the incremental saving appends the Body Updates to the end of the file, it is not part of the defined ByteRange and thus not part of the signature's integrity protection. Summarized, the signature remains valid, while the Body Updates changed the displayed content.
    This is not forbidden by the PDF specification, but the signature validation should indicate that the document has been altered after signing.

    Signature Wrapping Attack (SWA)

    Independently of the PDFs, the main idea behind Signature Wrapping Attacks is to force the verification logic to process different data than the application logic.

    In PDF files, SWA targets the signature validation logic by relocating the originally signed content to a different position within the document and inserting new content at the allocated position. The starting point for the attack is the manipulation of the ByteRange value allowing to shift the signed content to different loctions within the file.

    On a very technical level, the attacker uses a validly signed document (shown on the left side) and proceeds as follows:


    • Step 1 (optional): The attacker deletes the padded zero Bytes within the Contents parameter to increase the available space for injecting manipulated objects.
    • Step 2: The attacker defines a new /ByteRange [a b c* d] by manipulating the c value, which now points to the second signed part placed on a different position within the document.
    • Step 3: The attacker creates a new Xref table pointing to the new objects. It is essential that the byte offset of the newly inserted Xref table has the same byte offset as the previous Xref table. The position is not changeable since it is refer- enced by the signed Trailer. For this purpose, the attacker can add a padding block (e.g., using whitespaces) before the new Xref table to fill the unused space.
    • Step 4: The attacker injects malicious objects which are not protected by the signature. There are different injection points for these objects. They can be placed before or after the malicious Xref table. If Step 1 is not executed, it is only possible to place them after the malicious Xref table.
    • Step 5 (optional): Some PDF viewers need a Trailer after the manipulated Xref table, otherwise they cannot open the PDF file or detect the manipulation and display a warning message. Copying the last Trailer is sufficient to bypass this limitation.
    • Step 6: The attacker moves the signed content defined by c and d at byte offset c*. Optionally, the moved content can be encapsulated within a stream object. Noteworthy is the fact that the manipulated PDF file does not end with %%EOF after the endstream. The reason why some validators throw a warning that the file was manipulated after signing is because of an %%EOF after the signed one. To bypass this requirement, the PDF file is not correctly closed. However, it will be still processed by any viewer.

    Evaluation

    In our evaluation, we searched for desktop applications validating digitally signed PDF files. We analyzed the security of their signature validation process against our 3 attack classes. The 22 applications fulfill these requirements. We evaluated the latest versions of the applications on all supported platforms (Windows, MacOS, and Linux).


    Authors of this Post

    Vladislav Mladenov
    Christian Mainka
    Karsten Meyer zu Selhausen
    Martin Grothe
    Jörg Schwenk

    Acknowledgements

    Many thanks to the CERT-Bund team for the great support during the responsible disclosure.
    We also want to acknowledge the teams which reacted to our report and fixed the vulnerable implementations.

    More info
    1. Best Hacking Tools 2019
    2. Hacking Tools For Kali Linux
    3. Underground Hacker Sites
    4. Pentest Tools For Ubuntu
    5. Hacking Tools Mac
    6. Pentest Tools For Android
    7. Hack Tools
    8. Hacker Tools Linux
    9. Android Hack Tools Github
    10. Hacker Tools For Mac
    11. Pentest Tools Website Vulnerability
    12. Beginner Hacker Tools
    13. Pentest Automation Tools
    14. Best Hacking Tools 2020
    15. Hacking Tools For Kali Linux
    16. Hacking Tools For Mac
    17. Tools Used For Hacking
    18. Hacking Tools Hardware
    19. Hack Rom Tools
    20. Hacking Tools Pc
    21. Hackers Toolbox

    ISPY: Exploiting EternalBlue And BlueKeep Vulnerabilities With Metasploit Easier


    About ISPY:
       ISPY is a Eternalblue (MS17-010) and BlueKeep (CVE-2019-0708) scanner and exploiter with Metasploit Framework.

       ISPY was tested on: Kali Linux and Parrot Security OS 4.7.

    ISPY's Installation:
       For Arch Linux users, you must install Metasploit Framework and curl first:
    pacman -S metasploit curl


       For other Linux distros not Kali Linux or Parrot Security OS. Open your Terminal and enter these commands to install Metasploit Framework:
     

       Then, enter these commands to install ISPY:

    How to use ISPY?
     
    ISPY's screenshots:

    About the author:

    Disclaimer: Usage of ispy for attacking targets without prior mutual consent is illegal.
    ispy is for security testing purposes only


    More information

    1. Pentest Tools Linux
    2. Pentest Tools Find Subdomains
    3. What Is Hacking Tools
    4. Pentest Tools Android
    5. Pentest Tools For Ubuntu
    6. Hack Tool Apk No Root
    7. How To Hack
    8. Pentest Reporting Tools
    9. Pentest Tools Review
    10. Hacker Tools Free Download
    11. Pentest Tools Url Fuzzer
    12. Hak5 Tools
    13. Pentest Reporting Tools
    14. Hacker Tools Online
    15. Hacker Security Tools
    16. Pentest Automation Tools
    17. Hak5 Tools
    18. Pentest Tools For Windows
    19. Hack Tools Mac
    20. Best Hacking Tools 2019
    21. Pentest Tools Port Scanner
    22. Hack Tools
    23. Pentest Tools Website
    24. Pentest Tools Website
    25. Hack Tools 2019
    26. Hack Rom Tools
    27. Hacker Tools 2020

    DOWNLOAD NANOCORE RAT 1.2.2.0 CRACKED – REMOTE ADMINISTRATION TOOL

    NanoCore is one of the most powerful RATs ever created. It is capable of taking complete control of a victim's machine. It allows a user to control the system with a Graphical User Interface (GUI). It has many features which allow a user to access remote computer as an administrator. Download nanocore rat 1.2.2.0 cracked version free of cost.
    NanoCore's developer was arrested by FBI and pleaded guilty in 2017 for developing such a malicious privacy threat, and sentenced 33 months in prison.

    FEATURES

    • Complete Stealth Remote Control
    • Recover Passwords from the Victim Device
    • Manage Networks
    • Manage Files
    • Surveillance
    • Plugins (To take it to the next level)
    • Many advanced features like SCRIPTING

    DOWNLOAD NANOCORE RAT 1.2.2.0 CRACKED – REMOTE ADMINISTRATION TOOL

    Read more


    1. What Are Hacking Tools
    2. Termux Hacking Tools 2019
    3. How To Hack
    4. Best Hacking Tools 2019
    5. Hacking App
    6. Pentest Tools Nmap
    7. Pentest Tools List
    8. Pentest Reporting Tools
    9. Hacker Tools For Mac
    10. Pentest Recon Tools
    11. Hacker Tools Github
    12. Hack Apps
    13. Beginner Hacker Tools
    14. Hacking App
    15. Nsa Hack Tools Download
    16. Pentest Tools Review
    17. Hacker

    Wirelurker For OSX, iOS (Part I) And Windows (Part II) Samples


    PART II

    Wirelurker for Windows (WinLurker)

    Research: Palo Alto Claud Xiao: Wirelurker for Windows

    Sample credit: Claud Xiao



    PART I


    Research: Palo Alto Claud Xiao WIRELURKER: A New Era in iOS and OS X Malware

    Palo Alto |Claud Xiao - blog post Wirelurker

    Wirelurker Detector https://github.com/PaloAltoNetworks-BD/WireLurkerDetector


    Sample credit: Claud Xiao


    Download

    Download Part I
    Download Part II

    Email me if you need the password




    List of files
    List of hashes 

    Part II

    s+«sìÜ 3.4.1.dmg 925cc497f207ec4dbcf8198a1b785dbd
    apps.ipa 54d27da968c05d463ad3168285ec6097
    WhatsAppMessenger 2.11.7.exe eca91fa7e7350a4d2880d341866adf35
    使用说明.txt 3506a0c0199ed747b699ade765c0d0f8
    libxml2.dll c86bebc3d50d7964378c15b27b1c2caa
    libiconv-2_.dll 9c8170dc4a33631881120a467dc3e8f7
    msvcr100.dll bf38660a9125935658cfa3e53fdc7d65
    libz_.dll bd3d1f0a3eff8c4dd1e993f57185be75
    mfc100u.dll f841f32ad816dbf130f10d86fab99b1a

    zlib1.dll c7d4d685a0af2a09cbc21cb474358595


    │   apps.ipa
    │   σ╛«σìÜ 3.4.1.dmg

    └───WhatsAppMessenger 2.11.7
                libiconv-2_.dll
                libxml2.dll
                libz_.dll
                mfc100u.dll
                msvcr100.dll
                WhatsAppMessenger 2.11.7.exe
                zlib1.dll
                使用说明.txt


    Part I

    BikeBaron 15e8728b410bfffde8d54651a6efd162
    CleanApp c9841e34da270d94b35ae3f724160d5e
    com.apple.MailServiceAgentHelper dca13b4ff64bcd6876c13bbb4a22f450
    com.apple.appstore.PluginHelper c4264b9607a68de8b9bbbe30436f5f28
    com.apple.appstore.plughelper.plist 94a933c449948514a3ce634663f9ccf8
    com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
    com.apple.globalupdate.plist f92640bed6078075b508c9ffaa7f0a78
    com.apple.itunesupdate.plist 83317c311caa225b17ac14d3d504387d
    com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
    com.apple.machook_damon.plist 6507f0c41663f6d08f497ab41893d8d9
    com.apple.MailServiceAgentHelper.plist e6e6a7845b4e00806da7d5e264eed72b
    com.apple.periodic-dd-mm-yy.plist bda470f4568dae8cb12344a346a181d9
    com.apple.systemkeychain-helper.plist fd7b1215f03ed1221065ee4508d41de3
    com.apple.watchproc.plist af772d9cca45a13ca323f90e7d874c2c
    FontMap1.cfg 204b4836a9944d0f19d6df8af3c009d5
    foundation 0ff51cd5fe0f88f02213d6612b007a45
    globalupdate 9037cf29ed485dae11e22955724a00e7
    globalupdate 9037cf29ed485dae11e22955724a00e7
    itunesupdate a8dfbd54da805d3c52afc521ab7b354b
    libcrypto.1.0.0.dylib 4c5384d667215098badb4e850890127b
    libcrypto.1.0.0.dylib 3b533eeb80ee14191893e9a73c017445
    libiconv.2.dylib 94f9882f5db1883e7295b44c440eb44c
    libiconv.2.dylib fac8ef9dabdb92806ea9b1fde43ad746
    libimobiledevice.4.dylib c596adb32c143430240abbf5aff02bc0
    libimobiledevice.4.dylib 5b0412e19ec0af5ce375b8ab5a0bc5db
    libiodb.dylib bc3aa0142fb15ea65de7833d65a70e36
    liblzma.5.dylib 5bdfd2a20123e0893ef59bd813b24105
    liblzma.5.dylib 9ebf9c0d25e418c8d0bed2a335aac8bf
    libplist.2.dylib 903cbde833c91b197283698b2400fc9b
    libplist.2.dylib 109a09389abef9a9388de08f7021b4cf
    libssl.1.0.0.dylib 49b937c9ff30a68a0f663828be7ea704
    libssl.1.0.0.dylib ab09435c0358b102a5d08f34aae3c244
    libusbmuxd.2.dylib e8e0663c7c9d843e0030b15e59eb6f52
    libusbmuxd.2.dylib 9efb552097cf4a408ea3bab4aa2bc957
    libxml2.2.dylib 34f14463f28d11bd0299f0d7a3985718
    libxml2.2.dylib 95506f9240efb416443fcd6d82a024b9
    libz.1.dylib 28ef588ba7919f751ae40719cf5cffc6
    libz.1.dylib f2b19c7a58e303f0a159a44d08c6df63
    libzip.2.dylib 2a42736c8eae3a4915bced2c6df50397
    machook 5b43df4fac4cac52412126a6c604853c
    machook ecb429951985837513fdf854e49d0682
    periodicdate aa6fe189baa355a65e6aafac1e765f41
    pphelper 2b79534f22a89f73d4bb45848659b59b
    sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
    sfbase.dylib bc3aa0142fb15ea65de7833d65a70e36
    sfbase_v4000.dylib 582fcd682f0f520e95af1d0713639864
    sfbase_v4001.dylib e40de392c613cd2f9e1e93c6ffd05246
    start e3a61139735301b866d8d109d715f102
    start e3a61139735301b866d8d109d715f102
    start.sh 3fa4e5fec53dfc9fc88ced651aa858c6
    stty5.11.pl dea26a823839b1b3a810d5e731d76aa2
    stty5.11.pl dea26a823839b1b3a810d5e731d76aa2
    systemkeychain-helper e03402006332a6e17c36e569178d2097
    watch.sh 358c48414219fdbbbbcff90c97295dff
    WatchProc a72fdbacfd5be14631437d0ab21ff960
    7b9e685e89b8c7e11f554b05cdd6819a 7b9e685e89b8c7e11f554b05cdd6819a
    update 93658b52b0f538c4f3e17fdf3860778c
    start.sh 9adfd4344092826ca39bbc441a9eb96f

    File listing

    ├───databases
    │       foundation
    ├───dropped
    │   ├───version_A
    │   │   │   com.apple.globalupdate.plist
    │   │   │   com.apple.machook_damon.plist
    │   │   │   globalupdate
    │   │   │   machook
    │   │   │   sfbase.dylib
    │   │   │   watch.sh
    │   │   │
    │   │   ├───dylib
    │   │   │       libcrypto.1.0.0.dylib
    │   │   │       libiconv.2.dylib
    │   │   │       libimobiledevice.4.dylib
    │   │   │       liblzma.5.dylib
    │   │   │       libplist.2.dylib
    │   │   │       libssl.1.0.0.dylib
    │   │   │       libusbmuxd.2.dylib
    │   │   │       libxml2.2.dylib
    │   │   │       libz.1.dylib
    │   │   │
    │   │   ├───log
    │   │   └───update
    │   ├───version_B
    │   │       com.apple.globalupdate.plist
    │   │       com.apple.itunesupdate.plist
    │   │       com.apple.machook_damon.plist
    │   │       com.apple.watchproc.plist
    │   │       globalupdate
    │   │       itunesupdate
    │   │       machook
    │   │       start
    │   │       WatchProc
    │   │
    │   └───version_C
    │       │   com.apple.appstore.plughelper.plist
    │       │   com.apple.appstore.PluginHelper
    │       │   com.apple.MailServiceAgentHelper
    │       │   com.apple.MailServiceAgentHelper.plist
    │       │   com.apple.periodic-dd-mm-yy.plist
    │       │   com.apple.systemkeychain-helper.plist
    │       │   periodicdate
    │       │   stty5.11.pl
    │       │   systemkeychain-helper
    │       │
    │       └───manpath.d
    │               libcrypto.1.0.0.dylib
    │               libiconv.2.dylib
    │               libimobiledevice.4.dylib
    │               libiodb.dylib
    │               liblzma.5.dylib
    │               libplist.2.dylib
    │               libssl.1.0.0.dylib
    │               libusbmuxd.2.dylib
    │               libxml2.2.dylib
    │               libz.1.dylib
    │               libzip.2.dylib
    ├───iOS
    │       sfbase.dylib
    │       sfbase_v4000.dylib
    │       sfbase_v4001.dylib
    │       start
    │       stty5.11.pl
    ├───IPAs
    │       7b9e685e89b8c7e11f554b05cdd6819a
    │       pphelper
    ├───original
    │       BikeBaron
    │       CleanApp
    │       FontMap1.cfg
    │       start.sh
    └───update
            start.sh
            update
    Related posts

    Classic Lishi Tools page:1