We analyzed all PDF applications, which we could identity for signature support. See the following table.
|Viewer||Windows||PDF Reader (Windows Store App)||N|
|Viewer||Windows||PDF Viewer Go||N|
|Viewer||Windows||PDF Viewer Plus||N|
|Viewer||Windows||Ultra PDF Viewer||N|
|Editor||multiple||Corel PDF Fusion||N|
|Viewer||Windows||eXpert PDF 12 Ultimate||Y|
|Viewer||Windows||Expert PDF Reader||Y|
|Viewer||Windows||Perfect PDF Viewer (Windows Store App)||Y|
|Viewer||Windows||PDF Experte 9 Ultimate||Y|
|Editor||multiple||iSkysoft PDF Editor pro||Y|
|Editor||multiple||Master PDF Editor||Y~|
|Editor||multiple||Nuance Power PDF||Y|
|Editor||multiple||Perfect PDF (Desktop Application)||Y|
|Editor||Windows||PDF Architect 6||Y|
+only signing supported
~only visible signatures supported
#verification with command line tool
*according to vendor's website, not manually verified!
In the first phase of our security evaluation we concentrated on pdf viewer and online validation services, since they give a clear indication wether the attack was successful. To this point, we did not analyze PDF libraries like poppler (pdfsig) or pdfbox, since different configurations are possible. For example, the validation of a signed pdf can be executed with different calls in pdfbox.
No, we only analyzed signatures in standard PDF version 1.7, without standards like PDF/A. Our exploits are using PDF version 1.4.
To test if our attacks can bypass your signature validation and/or your application logic, you can download the provided PoCs from our website and open the files. If your application can not detect the modification or shows no warning/error to the user that the document was modified after the signature creation your application is vulnerable.
Disclaimer: We provided a list of PoCs for which we know they can be used to bypass a set of applications. We created this PoCs over several months of intensive testing and fine tuning. Just because your application was able to detected all PoCs, it does not mean your application is secure against our attacks. To best of our knowledge you are only secure against such attacks, if you signature verification works as described in our paper in
You can download the exploits (example PDFs) here
Yes, despite the resistance of some of the authors we have one under Apache 2.0 license.
last updated: 2019/02/28 - 11:50 AM