Vulnerability Report: Attacks bypassing confidentiality in encrypted PDF

Jens Müller, Fabian Ising, Vladislav Mladenov, Christian Mainka, Sebastian Schinzel, Jörg Schwenk


In this report, we analyze PDF encryption and show two novel techniques for breaking the confidentiality of encrypted documents.

Firstly, we abuse the PDF feature of partially encrypted documents to wrap the encrypted part of the document within attacker-controlled content and therefore, exfiltrate the plaintext once the document is opened by a legitimate user. Secondly, we abuse a flaw in the PDF encryption specification allowing an attacker to arbitrarily manipulate encrypted content without knowing the corresponding key/password. The only requirement is one single block of known plaintext, which we show is fulfilled by design.

By using exfiltration channels our attacks allow the recovery of the entire plaintext or parts of it within an encrypted document. The attacks rely only on standard compliant PDF features.

We evaluated our attacks on 27 widely used PDF viewers and found all of them vulnerable.

[html] [pdf]

Tags: pdf-encryption, pdf-security