New attack dubbed ‘PDFex’ can exfiltrate data from encrypted PDF files
- Dubbed ‘PDFex’, the attack comes in two technique variants - Data exfiltration and CBC Gadgets.
- The researchers tested the PDFex attack techniques against 27 widely used PDF viewers including Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome and Firefox's built-in PDF viewers, and found all of them to be vulnerable.
Researchers have detailed a new attack that can exfiltrate data from encrypted Portable Document Format (PDF) files. Dubbed ‘PDFex’, the attack comes in two technique variants.
Key highlights
The researchers tested the PDFex attack techniques against 27 widely used PDF viewers including Adobe Acrobat, Foxit Reader, Evince, Nitro, and Chrome and Firefox's built-in PDF viewers, and found all of them to be vulnerable.
- An attacker can manipulate an encrypted PDF file, even without knowing the corresponding password.
- PDF encryption uses the Cipher Block Chaining (CBC) encryption mode with no integrity checks, this allows anyone to create self-exfiltrating ciphertext parts using CBC malleability gadgets.
- Most of the data formats allow us to encrypt only parts of the content. This encryption flexibility allows an attacker to include their own content, which can lead to exfiltration channels.
Two attack techniques
The two variants of PDFex attack include Direct Exfiltration and CBC Gadgets.
Data Exfiltration
This technique takes advantage of the fact that PDF apps don't encrypt the entirety of a PDF file, leaving some parts unencrypted. Thus, an attacker can modify the unencrypted field, add unencrypted objects, or wrap encrypted parts into a context controlled by the attacker. This can be done via PDF forms, or hyperlinks, or Javascript codes.
CBC Gadgets
In this technique, attackers use CBC gadgets to exfiltrate plaintext. PDF encryption generally defines no authenticated encryption, therefore, attackers can modify the plaintext data directly within an encrypted object, for example, by prefixing it with an URL.
“This attack has two necessary preconditions:
- Known plaintext: To manipulate an encrypted object using CBC gadgets, a known plaintext segment is necessary. For AESV3 – the most recent encryption algorithm – this plain- text is always given by the Perms entry. For older versions, known plaintext from the object to be exfiltrated is necessary.
- Exfiltration channel: One of the interactive features: PDF Forms or Hyperlinks,” researchers explained.
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Almost a month ago,
researchers highlighted multiple WordPress plugins that had serious
vulnerabilities. Specifically, these plugins had numerous
vulnerabilities which the criminal hackers exploited for malicious
activities such as malvertising. Now, once again, researchers have
pointed out a vulnerability in another plugin, Rich Reviews which is
being actively exploited by attackers.
Unpatched Rich Reviews Plugin Vulnerability
Wordfence has once again spotted a serious malicious attack in the wild
abusing WordPress plugin. This time, it is the Rich Reviews plugin that
is under active exploit.
As revealed in their report, the plugin’s flaw has put around 16,000
websites at risk. These websites actively run the plugin, and are,
hence, vulnerable to unauthenticated attacks.
According to the researchers, the plugin Rich Reviews has ‘two core
issues’ that allow an adversary to exploit the flaw for XSS injections.
As stated in their report,
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/v
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/v
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Unpatched Vulnerability In WordPress Plugin “Rich Reviews” Is Under Active Exploit
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Attribution link: https://latesthackingnews.com/2019/10/01/__trashed-3/
Comments
Post a Comment