sábado, 9 de maio de 2020

PDFex: Major Security Flaws In PDF Encryption

After investigating the security of PDF signatures, we had a deeper look at PDF encryption. In co­ope­ra­ti­on with our friends from Müns­ter Uni­ver­si­ty of Ap­p­lied Sci­en­ces, we discovered severe weaknesses in the PDF encryption standard which lead to full plaintext exfiltration in an active-attacker scenario.

To guarantee confidentiality, PDF files can be encrypted. This enables the secure transfer and storing of sensitive documents without any further protection mechanisms.
The key management between the sender and recipient may be password based (the recipient must know the password used by the sender, or it must be transferred to them through a secure channel) or public key based (i.e., the sender knows the X.509 certificate of the recipient).
In this research, we analyze the security of encrypted PDF files and show how an attacker can exfiltrate the content without having the corresponding keys.

So what is the problem?

The security problems known as PDFex discovered by our research can be summarized as follows:
  1. Even without knowing the corresponding password, the attacker possessing an encrypted PDF file can manipulate parts of it.
    More precisely, the PDF specification allows the mixing of ciphertexts with plaintexts. In combination with further PDF features which allow the loading of external resources via HTTP, the attacker can run direct exfiltration attacks once a victim opens the file.
  2. PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, which implies ciphertext malleability.
    This allows us to create self-exfiltrating ciphertext parts using CBC malleability gadgets. We use this technique not only to modify existing plaintext but to construct entirely new encrypted objects.

Who uses PDF Encryption?

PDF encryption is widely used. Prominent companies like Canon and Samsung apply PDF encryption in document scanners to protect sensitive information.
Further providers like IBM offer PDF encryption services for PDF documents and other data (e.g., confidential images) by wrapping them into PDF. PDF encryption is also supported in different medical products to transfer health records, for example InnoportRicohRimage.
Due to the shortcomings regarding the deployment and usability of S/MIME and OpenPGP email encryption, some organizations use special gateways to automatically encrypt email messages as encrypted PDF attachments, for example CipherMailEncryptomaticNoSpamProxy. The password to decrypt these PDFs can be transmitted over a second channel, such as a text message (i.e., SMS).


Technical details of the attacks

We developed two different attack classes on PDF Encryption: Direct Exfiltration and CBC Gadgets.

Attack 1: Direct Exfiltration (Attack A)


The idea of this attack is to abuse the partial encryption feature by modifying an encrypted PDF file. As soon as the file is opened and decrypted by the victim sensitive content is sent to the attacker. Encrpyted PDF files does not have integrity protection. Thus, an attacker can modify the structure of encrypted PDF documents, add unencrypted objects, or wrap encrypted parts into a context controlled the attacker.
In the given example, the attacker abuses the flexibility of the PDF encryption standard to define certain objects as unencrypted. The attacker modifies the Encrypt dictionary (6 0 obj) in a way that the document is partially encrypted – all streams are left AES256 encrypted while strings are defined as unencrypted by setting the Identity filter. Thus, the attacker can freely modify strings in the document and add additional objects containing unencrypted strings.
The content to be exfiltrated is left encrypted, see Contents (4 0 obj) and EmbeddedFile (5 0 obj). The most relevant object for the attack is the definition of an Action, which can submit a form, invoke a URL, or execute JavaScript. The Action references the encrypted parts as content to be included in requests and can thereby be used to exfiltrate their plaintext to an arbitrary URL. The execution of the Action can be triggered automatically once the PDF file is opened (after the decryption) or via user interaction, for example, by clicking within the document.
This attack has three requirements to be successful. While all requirements are PDF standard compliant, they have not necessarily been implemented by every PDF application:
  • Partial encryption: Partially encrypted documents based on Crypt Filters like the Identity filter or based on other less supported methods like the None encryption algorithm.
  • Cross-object references: It must be possible to reference and access encrypted string or stream objects from unencrypted attacker-controlled parts of the PDF document.
  • Exfiltration channel: One of the interactive features allowing the PDF reader to communicate via Internet must exist, with or without user interaction. Such Features are PDF FormsHyperlinks, or JavaScript.
Please note that the attack does not abuse any cryptographic issues, so that there are no requirements to the underlying encryption algorithm (e.g., AES) or the encryption mode (e.g., CBC).
In the following, we show three techniques how an attack can exfiltrate the content.

Exfiltration via PDF Forms (A1)


The PDF standard allows a document's encrypted streams or strings to be defined as values of a PDF form to be submitted to an external server. This can be done by referencing their object numbers as the values of the form fields within the Catalog object, as shown in the example on the left side. The value of the PDF form points to the encrypted data stored in 2 0 obj.
To make the form auto-submit itself once the document is opened and decrypted, an OpenAction can be applied. Note that the object which contains the URL (http://p.df) for form submission is not encrypted and completely controlled by the attacker. As a result, as soon as the victim opens the PDF file and decrypts it, the OpenAction will be executed by sending the decrypted content of 2 0 obj to (http://p.df).

If forms are not supported by the PDF viewer, there is a second method to achieve direct exfiltration of a plaintext. The PDF standard allows setting a "base" URI in the Catalog object used to resolve all relative URIs in the document.
This enables an attacker to define the encrypted part as a relative URI to be leaked to the attacker's web server. Therefore the base URI will be prepended to each URI called within the PDF file. In the given example, we set the base URI to (http://p.df).
The plaintext can be leaked by clicking on a visible element such as a link, or without user interaction by defining a URI Action to be automatically performed once the document is opened.
In the given example, we define the base URI within an Object Stream, which allows objects of arbitrary type to be embedded within a stream. This construct is a standard compliant method to put unencrypted and encrypted strings within the same document. Note that for this attack variant, only strings can be exfiltrated due to the specification, but not streams; (relative) URIs must be of type string. However, fortunately (from an attacker's point of view), all encrypted streams in a PDF document can be re-written and defined as hex-encoded strings using the hexadecimal string notation.
Nevertheless, the attack has some notable drawbacks compared to  Exfiltration via PDF Forms:
  • The attack is not silent. While forms are usually submitted in the background (by the PDF viewer itself), to open hyperlinks, most applications launch an external web browser.
  • Compared to HTTP POST, the length of HTTP GET requests, as invoked by hyperlinks, is limited to a certain size.
  • PDF viewers do not necessarily URL-encode binary strings, making it difficult to leak compressed data.

Exfiltration via JavaScript (A3)

The PDF JavaScript reference allows JavaScript code within a PDF document to directly access arbitrary string/stream objects within the document and leak them with functions such as *getDataObjectContents* or *getAnnots*.
In the given example, the stream object 7 is given a Name (x), which is used to reference and leak it with a JavaScript action that is automatically triggered once the document is opened. The attack has some advantages compared to Exfiltration via PDF Forms and Exfiltration via Hyperlinks, such as the flexibility of an actual programming language.
It must, however, be noted that – while JavaScript actions are part of the PDF specification – various PDF applications have limited JavaScript support or disable it by default (e.g., Perfect PDF Reader).

Attack 2: CBC Gadgets (Attack B)

Not all PDF viewers support partially encrypted documents, which makes them immune to direct exfiltration attacks. However, because PDF encryption generally defines no authenticated encryption, attackers may use CBC gadgets to exfiltrate plaintext. The basic idea is to modify the plaintext data directly within an encrypted object, for example, by prefixing it with an URL. The CBC gadget attack, thus does not necessarily require cross-object references.
Note that all gadget-based attacks modify existing encrypted content or create new content from CBC gadgets. This is possible due to the malleability property of the CBC encryption mode.
This attack has two necessary preconditions:
  • Known plaintext: To manipulate an encrypted object using CBC gadgets, a known plaintext segment is necessary. For AESV3 – the most recent encryption algorithm – this plain- text is always given by the Perms entry. For older versions, known plaintext from the object to be exfiltrated is necessary.
  • Exfiltration channel: One of the interactive features: PDF Forms or Hyperlinks.
These requirements differ from those of the direct exfiltration attacks, because the attacks are applied "through" the encryption layer and not outside of it.

Exfiltration via PDF Forms (B1)

As described above, PDF allows the submission of string and stream objects to a web server. This can be used in conjunction with CBC gadgets to leak the plaintext to an attacker-controlled server, even if partial encryption is not allowed.
A CBC gadget constructed from the known plaintext can be used as the submission URL, as shown in the example on the left side. The construction of this particular URL gadget is challenging. As PDF encryption uses PKCS#5 padding, constructing the URL using a single gadget from the known Perms plaintext is difficult, as the last 4 bytes that would need to contain the padding are unknown.
However, we identified two techniques to solve this. On the one hand, we can take the last block of an unknown ciphertext and append it to our constructed URL, essentially reusing the correct PKCS#5 padding of the unknown plaintext. Unfortunately, this would introduce 20 bytes of random data from the gadgeting process and up to 15 bytes of the unknown plaintext to the end of our URL.
On the other hand, the PDF standard allows the execution of multiple OpenActions in a document, allowing us to essentially guess the last padding byte of the Perms value. This is possible by iterating over all 256 possible values of the last plaintext byte to get 0x01, resulting in a URL with as little random as possible (3 bytes). As a limitation, if one of the 3 random bytes contains special characters, the form submission URL might break.
Using CBC gadgets, encrypted plaintext can be prefixed with one or more chosen plaintext blocks. An attacker can construct URLs in the encrypted PDF document that contain the plaintext to exfiltrate. This attack is similar to the exfiltration hyperlink attack (A2). However, it does not require the setting of a "base" URI in plaintext to achieve exfiltration.
The same limitations described for direct exfiltration based on links (A2) apply. Additionally, the constructed URL contains random bytes from the gadgeting process, which may prevent the exfiltration in some cases.

Exfiltration via Half-Open Object Streams (B3)

While CBC gadgets are generally restricted to the block size of the underlying block cipher – and more specifically the length of the known plaintext, in this case, 12 bytes – longer chosen plaintexts can be constructed using compression. Deflate compression, which is available as a filter for PDF streams, allows writing both uncompressed and compressed segments into the same stream. The compressed segments can reference back to the uncompressed segments and achieve the repetition of byte strings from these segments. These backreferences allow us to construct longer continuous plaintext blocks than CBC gadgets would typically allow for. Naturally, the first uncompressed occurrence of a byte string still appears in the decompressed result. Additionally, if the compressed stream is constructed using gadgets, each gadget generates 20 random bytes that appear in the decompressed stream. A non-trivial obstacle is to keep the PDF viewer from interpreting these fragments in the decompressed stream. While hiding the fragments in comments is possible, PDF comments are single-line and are thus susceptible to newline characters in the random bytes. Therefore, in reality, the length of constructed compressed plaintexts is limited.
To deal with this caveat, an attacker can use ObjectStreams which allow the storage of arbitrary objects inside a stream. The attacker uses an object stream to define new objects using CBC gadgets. An object stream always starts with a header of space-separated integers which define the object number and the byte offset of the object inside the stream. The dictionary of an object stream contains the key First which defines the byte offset of the first object inside the stream. An attacker can use this value to create a comment of arbitrary size by setting it to the first byte after their comment.
Using compression has the additional advantage that compressed, encrypted plaintexts from the original document can be embedded into the modified object. As PDF applications often create compressed streams, these can be incorporated into the attacker-created compressed object and will therefore be decompressed by the PDF applications. This is a significant advantage over leaking the compressed plaintexts without decompression as the compressed bytes are often not URL-encoded correctly (or at all) by the PDF applications, leading to incomplete or incomprehensible plaintexts. However, due to the inner workings of the deflate algorithms, a complete compressed plaintext can only be prefixed with new segments, but not postfixed. Therefore, a string created using this technique cannot be terminated using a closing bracket, leading to a half-open string. This is not a standard compliant construction, and PDF viewers should not accept it. However, a majority of PDF viewers accept it anyway.

Evaluation

During our security analysis, we identified two standard compliant attack classes which break the confidentiality of encrypted PDF files. Our evaluation shows that among 27 widely-used PDF viewers, all of them are vulnerable to at least one of those attacks, including popular software such as Adobe Acrobat, Foxit Reader, Evince, Okular, Chrome, and Firefox.
You can find the detailed results of our evaluation here.

What is the root cause of the problem?

First, many data formats allow to encrypt only parts of the content (e.g., XML, S/MIME, PDF). This encryption flexibility is difficult to handle and allows an attacker to include their own content, which can lead to exfiltration channels.
Second, when it comes to encryption, AES-CBC – or encryption without integrity protection in general – is still widely supported. Even the latest PDF 2.0 specification released in 2017 still relies on it. This must be fixed in future PDF specifications and any other format encryption standard, without enabling backward compatibility that would re-enable CBC gadgets.
A positive example is JSON Web Encryption standard, which learned from the CBC attacks on XML and does not support any encryption algorithm without integrity protection.

Authors of this Post

Jens Müller
Fabian Ising
Vladislav Mladenov
Christian Mainka
Sebastian Schinzel
Jörg Schwenk

Acknowledgements

Many thanks to the CERT-Bund team for the great support during the responsible disclosure process.

Related word


WHO IS ETHICAL HACKER

Who is hacker?
A hacker is a Creative person and a creative Programmer,who have knowledge about Networking,Operating system,hacking & a best creative social engineer who control anyone's mind he is also a knowledgeable person.
Hacker are the problem solver and tool builder.

                                OR

A hacker is an individual who uses computer, networking and other skills to overcome a technical problem but it often refers to a person who uses his or her abilities to gain unauthorized access to system or networks in  order to commit crimes. 


More articles
  1. Travel Hacking
  2. Social Hacking
  3. Hacking Apps
  4. Wifi Hacking App

How To Start | How To Become An Ethical Hacker

Are you tired of reading endless news stories about ethical hacking and not really knowing what that means? Let's change that!
This Post is for the people that:

  • Have No Experience With Cybersecurity (Ethical Hacking)
  • Have Limited Experience.
  • Those That Just Can't Get A Break


OK, let's dive into the post and suggest some ways that you can get ahead in Cybersecurity.
I receive many messages on how to become a hacker. "I'm a beginner in hacking, how should I start?" or "I want to be able to hack my friend's Facebook account" are some of the more frequent queries. Hacking is a skill. And you must remember that if you want to learn hacking solely for the fun of hacking into your friend's Facebook account or email, things will not work out for you. You should decide to learn hacking because of your fascination for technology and your desire to be an expert in computer systems. Its time to change the color of your hat 😀

 I've had my good share of Hats. Black, white or sometimes a blackish shade of grey. The darker it gets, the more fun you have.

If you have no experience don't worry. We ALL had to start somewhere, and we ALL needed help to get where we are today. No one is an island and no one is born with all the necessary skills. Period.OK, so you have zero experience and limited skills…my advice in this instance is that you teach yourself some absolute fundamentals.
Let's get this party started.
  •  What is hacking?
Hacking is identifying weakness and vulnerabilities of some system and gaining access with it.
Hacker gets unauthorized access by targeting system while ethical hacker have an official permission in a lawful and legitimate manner to assess the security posture of a target system(s)

 There's some types of hackers, a bit of "terminology".
White hat — ethical hacker.
Black hat — classical hacker, get unauthorized access.
Grey hat — person who gets unauthorized access but reveals the weaknesses to the company.
Script kiddie — person with no technical skills just used pre-made tools.
Hacktivist — person who hacks for some idea and leaves some messages. For example strike against copyright.
  •  Skills required to become ethical hacker.
  1. Curosity anf exploration
  2. Operating System
  3. Fundamentals of Networking
*Note this sites





Read more


  1. Curso De Ciberseguridad Y Hacking Ético
  2. Hacking Con Python
  3. Web Hacking 101
  4. Cómo Se Escribe Hacker
  5. Hacking Definition
  6. Password Hacking
  7. Arduino Hacking
  8. Hacking With Arduino

OWASP API Security Project Media Coverage



A list of must read articles on OWASP API Security Project

Read more

How To Pass Your Online Accounts After Death – 3 Methods

The topic of DEATH is not one that most people care to talk about, but the truth is that we are all going to die at some point and everything that we did online is going to end up in limbo if we don't make sure that someone we trust is going to be able to gain access to this information. This is going to be extremely important in order to close it down, or have your loved one do whatever you want them to do with your information. There are many things to take into consideration for this kind of situation. If you are like the average modern person, you probably have at least one email account, a couple of social media accounts in places like Facebook and Twitter. Perhaps you also have a website that you run or a blog. These are all very common things that people will usually do at some point and if you have anything that you consider valuable, you should have a way to leave it in the hands of someone you trust when you pass away.

Pass Accounts and Passwords After Death
Pass Accounts and Passwords After Death

Maybe you have an online platform that has a lot of content that you find useful and important. Perhaps you have even been able to turn some of that content into monetizable material and you don't want this to end when you pass away. This is more than enough of a reason to make sure that your information can be given to someone when you are no longer around.
There have been many cases when all the information has ended up being impossible to recover when a person has died, at least not without the need for the family members to do all kinds of things in order to prove a person is deceased. So here are some ways, you can passyour online accounts/data after death:

1) Making a Safe 'WILL' (or Locker) containing master password.

  1. Make an inventory of all your online accounts and list them on a piece of paper one by one and give it to your loved one. For eg:– Your primary email address
    – Your Facebook ID/email
    – The Bank account or Internet banking ID
    – etc. To clarify, it will be only a list of the accounts you want your loved one to be able to access after you're dead. Just the list of accounts, nothing else (no passwords).
  2. Set up a brand new e-mail address (Possibly Gmail account). Lets say youraccountsinfo@gmail.com
  3. Now from your usual email account, Send an e-mail to youraccountsinfo@gmail.com, with the following content:– dd349r4yt9dfj
    – sd456pu3t9p4
    – s2398sds4938523540
    – djfsf4p These are, of course, the passwords and account numbers that you want your loved one to have once you're dead.
  4. Tell your loved one that you did these things, and while you're at it, send him/her an e-mail from youraccountsinfo@gmail.com, so he/she will have the address handy in some special folder in his/her inbox.
  5. Put the password for youraccountsinfo@gmail.com in your will or write it down on paper and keep it safe in your bank locker. Don't include the e-mail address as well, just put something like "The password is: loveyourhoney432d".
And its done! Your loved one will only have the password once you're dead, and the info is also secure, since it's split in two places that cannot be easily connected, so if the e-mail address happens to be hacked, the perpetrator won't be able to use it to steal anything that you're going to leave for your loved one.

2) Preparing a Future email (SWITCH) containing login information

This method is very similar to the first one except in this case we will not be using a WILL or Locker. Instead we will be using a Service called "Dead Mans Switch" that creates a switch (Future email) and sends it to your recipients after a particular time interval. Here is how it works.
  1. Create a list of accounts as discussed in the first method and give it to your loved one.
  2. Register on "Dead mans switch" and create a switch containing all the corresponding passwords and enter the recipients email (Your loved one).
  3. Your switch will email you every so often, asking you to show that you are fine by clicking a link. If something happens to you, your switch would then send the email you wrote to the recipient you specified. Sort of an "electronic will", one could say.

3) Using password managers that have emergency access feature

Password managers like LastPass and Dashlane have a feature called as "emergency access".  It functions as a dead man's switch. You just have to add your loved one to your password manager, with emergency access rights. he/She does not see any of your information, nor can he/she log into your accounts normally.
But if the worst happens, your loved one can invoke the emergency access option. Next your password manager sends an email to you and starts a timer. If, after a certain amount of time interval, you have not refused the request, then your loved one gets full access to your password manager.
You can always decide what they can potentially gain access to, and you set the time delay.

Why should i bother about passing my digital legacy?

Of all the major online platforms, only Google and Facebook have provisions for Inactiveaccounts (in case of death). Google lets you plan for the inevitable ahead of time. Using the "Inactive Account Manager", you can designate a beneficiary who will inherit access to any or all of your Google accounts after a specified period of inactivity (the default is 3 months).
Facebook on the other hand will either delete your inactive account or turn it into a memorial page when their family can provide any proof of their death, but there is also a large number of platforms that don't have any specific way for people to be able to verify the death of a loved one in order to gain access to the accounts. In either case, you wouldn't want your family to have to suffer through any hassles and complications after you have passed away.
You should also consider the importance of being able to allow your loved ones to collect all the data you left behind. This means photos and experiences that can be used to show other generations the way that you lived and the kind of things you enjoyed doing.
Those memories are now easier to keep and the best photos can be downloaded for the purpose of printing them for photo albums or frames. Allowing them to have the chance to do this in a practical way is going to be a great gesture and securing any profitable information is going to be essential if you want a business or idea to keep moving forward with the help of those you trust.
This is the reason why you need to be able to pass your online account information after death, but no one wants to give access to this kind of information to their loved ones because it's of a private nature and we would feel uneasy knowing that others can access our private conversations or message.

More articles


  1. Hacking Articles
  2. Hacking Usb
  3. Hacking Time
  4. Web Hacking 101
  5. Herramientas Hacking
  6. Cracker Definicion
  7. Hacking Google Home Mini
  8. Hacking Background
  9. Hacking Definition
  10. Libros Para Aprender A Hackear
  11. Growth Hacking Pdf
  12. Bluetooth Hacking