A signed PDF file is just like all signed files with embedded signatures: the signature itself is excluded from the hash calculation.
Open a signed PDF document in a hex editor and search for string /ByteRange. You’ll find something like this:
36 0 obj
<</ByteRange[0 227012 248956 23362 ] /Contents<308226e106092a864886f7
This indicates which byte sequences are used for the hash calculation (position and length of each sequence). So in this example, byte sequence 227013-248955 is excluded, because it contains the signature in hex format padded with 0×00 bytes. This padding is not part of the DER signature, you can change it without changing or invalidating the signature.
There’s something that I wanted to test out for quite some time, but kept postponing until recently. Adobe Reader will ask confirmation before it retrieves a URL when a PDF document contains an action to do so. But what about the Certificate Revocation List in a signed PDF document?
When you open a signed PDF document with Adobe Reader, the signature gets checked automatically. If the signature is not OK, for example because it doesn’t chain up to a trusted root CA, revocations checks are not performed. In other words, the CRL is not downloaded:
But when I change the settings so that my root CA is trusted, the signature is considered valid and the CRL is retrieved. No warning is given to the user, it happens automatically and silently. Here is the log entry on my server:
192.168.1.1 – - [26/Apr/2013:11:33:35 -0400] “GET /root.crl HTTP/1.1″ 200 709 “-” “PPKHandler”
PPKHandler is the User Agent String.
The CRL file can’t be an empty file, and must be signed by the root CA, otherwise the signature is considered invalid.
So when you open a signed PDF document with Adobe Reader, the signature is automatically checked and the CRL is silently downloaded. This is done with a request to the webserver of the commercial CA which issued the certificate (crl.adobe.com, crl.geotrust.com, …). You can change automatic checking with Preferences / Signatures / Verification.
A quick check with Foxit Reader reveals it doesn’t check the signature automatically.
This is an update to my post Howto: Add a Digital Signature to a PDF File, but this time I found free software.
Again we use our certificate which we install (open the .p12 file). Install the free JSignPdf software.
Select the PDF file to sign and select an output file (if you don’t want to overwrite your original):
Push Sign It:
And then you can check the signature with Adobe Reader:
If you get the following error, make sure you change your PDF version from %PDF-1.1 to %PDF-1.4:
Choosen configuration requires PDF version update, but it’s not possible in the “append” signature mode.
This new version is a bugfix version for Python 3 plus I added a new name in the default report: /XFA
From version 0.4.1 on, you can also pass a URL or a ZIP file as argument to pdf-parser:
When you pass a URL as argument, pdf-parser will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.
Passing a ZIP file as argument instructs pdf-parser to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, pdf-parser will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.
Further changes are: bug fixes, performance improvement and option –content. This option allows you to view the content of an object without stream or with stream but without filters.
A month before my PDF training at HITB, it’s time to release new versions of my pdf tools.
I start with PDFiD. From version 0.1.0 on, you can also pass a URL or a ZIP file as argument to PDFiD:
When you pass a URL as argument, PDFiD will download the PDF document and analyze it. The PDF document will not be written to disk. Supported protocols are http and https.
Passing a ZIP file as argument instructs PDFiD to open the ZIP file and analyze the first file it finds in the ZIP archive. If the ZIP file is password protected, PDFiD will try to access the compressed file with password infected. Same as with URLs, the PDF file in the ZIP container is not written to disk.
The ISSA Journal featured my article on Network Device Forensics, making it available to everyone.
And I’m giving a 2-day training on PDF at Hack In The Box Amsterdam 2013.
Last year I showed how to use a Teensy micro-controller to drop a PDF file with embedded executable. But I was limited to a file of a few kilobytes, because of the Arduino programming language I used for the Teensy.
In this post, I’m using WinAVR and I’m only limited by the amount of flash memory on my Teensy++.
First we use a new version of my PDF tools to create a PDF file with embedded file:
Filter i is exactly like filter h (ASCIIHexDecode), except that the lines of hex code are wrapped at 512 hex digits, making them digestible to our C compiler.
Another new feature of my make PDF tools is Python 3 support.
Here is a sample of our C code showing how to embed each line of the pure-ASCII PDF document as strings:
Macro PSTR makes that the string is stored in flash memory. The embedded executable is 57KB large, but still only takes half of the flash memory of my Teensy++.
After programming my Teensy++, I can fire up Notepad and let my Teensy++ type out the PDF document:
You can download my example for the WinAVR compiler here:
Pentesters need to drop files on targets. If a box is not connected to the Internet, and doesn’t accept removable storage, they need to come up with some tricks.
Inputting the file via the keyboard is an option, but typing several millions of bytes is not. This needs automation.
Irongeek uses a Teensy micro-controller to achieve this. My solution is a variation on this. If you need to drop a binary file, you need to find a way to convert the typed ASCII to bytes. There’s a solution with a debugger, but I’m using a PDF Reader.
It’s possible to create a pure ASCII PDF file that embeds a binary file. Here are the steps to drop a binary file:
- open Notepad,
- insert the Teensy and let it type the ASCII PDF file into Notepad
- save the PDF file
- open it with a PDF Reader and save the embedded binary file
Writing a program with the Arduino IDE to type an ASCII PDF file is not difficult:
But with the Arduino IDE, your embedded file is limited to a couple of kilobytes. Handling larger files will be described in part 2 of this post.
After giving my Malicious PDF Analysis workshop at Hack In The Box Amsterdam, I decided to produce a screencast for each exercise (there are 20 exercises). You can find the first screencasts here. More will be produced soon.
Materials you’ll need for the exercises: