PDF documents are complex and have dangerous features that can be exploited by attackers to exfiltrate data, execute code, and leak credentials.
- PDF viewers that implement the full PDF standard are flawed by design and vulnerable to attacks
- Limiting resources that a single document can consume can prevent malicious documents from affecting the whole application or operating system
- Secure PDF processing applications should identify and block dangerous paths in malicious documents
- PDF forms can be manipulated to exfiltrate data and leak credentials
- PDF streams can reference external files and be used to exfiltrate arbitrary files from disk
PDF is a document format on steroids. In this talk, we will dive deep into the PDF specification and reveal its less known, insecure features. We perform a systematic and in-depth analysis of the capabilities of malicious PDF documents leading to vulnerabilities in all major PDF viewers. Our attacks are categorized into four classes: (1) Denial-of-Service attacks affecting the host on which the document is processed. (2) Information disclosure attacks which track who opens a document or leak personal data out of the victim's computer to the attacker's server, such as PDF document form data, local files, or user credentials. (3) Data manipulation attacks which modify form values, write local files on the host system, or mask the displayed content of a document based on the opening application. (4) Execution of code on the victim's machine, by silently launching an embedded executable. Finally, we propose a methodology to systematically protect against attacks based on legitimate-but-dangerous PDF document features.