New Injection Technique Exposes Data in PDFs

Posted by Geraldine Hunt on Tue, Jan 5th, 2021

Hackers have been targeting PDF users with a new injection technique. PDF attachments have been commonly used as the Trojan horse that unleashes malware or ransomware onto unsuspecting email users. However, hackers are now targeting PDF files themselves using code-injection techniques.  One such attack was discovered earlier this month that allows hackers to inject code that launches cross-site scripting attacks (XSS) within the PDF document itself.  The end goal for these attacks is to extract sensitive data from the PDF files

What is an XSS Attack?

According to the Open Web Application Security Project (OWASP), XSS attacks are commonly used to inject malicious scripts into otherwise benign and trusted websites.  OWASP has ranked XSS attacks in their Top 10 Web Application Security Threats since they started publishing the famous list almost 20 years ago.  When used within web applications, the end user’s browser has no way to know that the malicious script should not be trusted and thus executes it.  By using the script, the attacker can then access cookies, session tokens or other sensitive information retained by the browser during the web session.  XSS exploits can be implemented anywhere with a web application that uses input from a user within the output it generates without validating or encoding it. 

Why PDF Injection Attacks are such a Threat

Hackers are not using injection attacks to access ordinary office PDF files.  The real target is the server-side PDF generated files that are created constantly in today’s digital world.  They appear in the form of e-tickets, receipts, boarding passes, invoices, payslips and so on.  If hackers can gain access to these documents and influence the structure of the PDF itself, they can inject code and capture the enclosed data.  For instance, if an attacker can control part of a PDF that contains bank details, those details can be exfiltrated and uploaded to a holding site.  When you realize the vast amount of PDF files and libraries we all work with, it is obvious why hackers are vigorously targeting them.

How the PDF Injection Attack Works

The newly discovered PDF injection threat operates the same way as the traditional web application attack methodology.  In the case of PDF files, hackers take advantage of what is referred to as escape characters, specifically backslashes and parentheses.  These escape characters are commonly used to accept user input within text streams or annotation URLs.  This of course opens the door for a hacker to inject their own URLs or JavaScript code.  By injecting their own escape characters, hackers can inject their own code.  The injection of a simple link can easily compromise the entire contents of a PDF, according to one of the researchers that discovered the attack methodology.  This attack methodology was actually demonstrated at a recent Black Hat online conference in Europe this month, showing how easy it was to upload exfiltrated data to a remote server using a single injected link.  The presenters also disclosed the fact that some of the largest PDF libraries in the world are vulnerable to these injection attacks.

How to Stop this Attack

What makes XSS attacks possible is sloppy coding.  In the same way that ordinary users take shortcuts when it comes to password creation, code developers often take shortcuts when writing Web 2.0 code.   In the case of PDF file injections, it is due to PDF libraries failing to properly parse code of these types of escape characters in unprotected formats.  In the case of this specific vulnerability, Adobe issued a security update on December 9 that remedies this security vulnerability.  If your organization creates PDF of any form, it is highly recommended that you immediately install the update.

How TitanHQ can Help Protect you from PDF Threats

While TitanHQ can’t help you parse your PDF libraries, we can protect you from malware-infected PDF attachments.  Our advanced email security solution called SpamTitan is designed to discover and eradicate email attachments that contain viruses and malicious code.  It does this through the use of double antivirus protection and sandboxing techniques.