Vulnerability Report: Attacks bypassing the signature validation in PDF

Vladislav Mladenov, Christian Mainka, Karsten Meyer zu Selhausen, Martin Grothe, Jörg Schwenk


As part of our current research, we analyzed signature validation processing on PDF files. In the following report, we present three novel attack classes: Universal Signature Forgery (USF), Incremental Saving Attack (ISA), and Signature Wrapping Attack (SWA). Each attack allows an attacker to stealthily manipulate the content of a signed PDF without invalidating the signature, thereby breaking the document integrity protection. We successfully applied the attacks on 22 different PDF viewers and found 21 of them to be vulnerable, including prominent and widely used applications such as Adobe Reader DC and Foxit.