Hi Tilman, thanks for the quick response.
All of my tests had the "Signature does not cover whole document" in the output. This result is obvious for the Incremental Saving Attack. For the more advanced Signature Wrapping attack the check byteRange[1] + contentLen != byteRange[2] triggers the output (at least for the provided test document). If you have a signature with many 0 padding bytes the malicious code might be placed without changing the contentLen. But it should not be possible to replace the xref table without changing the contentLen. So the "Signature does not cover whole document" - check should be sufficient to cope with these attacks. Do you agree or do you see any additional attack scenario? Nevertheless I would feel more comfortable, if we had a “more robust” mechanism to detect malicious documents. E.g. reject documents as described in the “Incremental Saving Attack” as they are not PDF compliant at all. Additionally, I'd like to add a check if the actually used /ByteRange array is covered by the signature. Is there an easy way to implement this? Thanks Wolfgang On Don, 2019-02-28 at 10:33 +0100, Tilman Hausherr wrote: did it have "signature covers whole document" at the beginning of the output? Tilman ------------------------------------------------------------------------ Gesendet mit der Telekom Mail App <https://kommunikationsdienste.t-online.de/redirects/email_app_android_sendmail_footer> --- Original-Nachricht --- Von: Wolfgang Bauer Betreff: PDF Signature Spoofing Datum: 28.02.2019, 10:04 Uhr An: [email protected]<mailto:[email protected]> Hello everybody, as you have probably already heard, there are currently new attacks on pdf signatures very popular in the media. https://www.pdf-insecurity.org <https://www.pdf-insecurity.org> / In particular the demo doucuments of Attack 2: Incremental Saving Attack and Attack 3 can be parsed with the pdfbox library and the ShowSignature example even validates the malicious signatures. Are there any plans to include some validation steps into pdfbox to cope with these problems? Thanks Wolfgang Xi-Events to come: 04.-08. März 2019 – RSA Conference 2019 <https://www.rsaconference.com/events/us19> 17. Mai 2019 – XiTrust Friends Network Event Red Bull Ring <https://www.xitrust.com/xitrust-network-event/> 17.-19. September 2019 – DSAG Jahreskongress 2019 <https://www.dsag.de/veranstaltungen/2019-09/dsag-jahreskongress-2019> 17.-19. September 2019 – Zukunft Personal Europe 2019 <https://www.europe.zukunft-personal.com/de/zpeurope19/> So geht Live Business 2018 – das neue MOXIS Video: https://youtu.be/r1rujX4dhvg
