A proof-of-concept exploit working on Foxit (Version: 126.96.36.199938) can be downloaded here.
The story so far ...
In PDFs, there are multiple techniques to hide content that is not displayed when the document is opened. We, as attackers, usually hide malicious objects without referencing them in the xref section.
As a countermeasure, most vendors warn if additional content is added after signing the document. BUT … not always!!!
Also, PAdES defines Incremental Updates as part of the long-term validation of digitally signed PDFs.
In summary, Incremental Updates are painful from a security perspective. Currently, vendors are trying to estimate whether an Incremental Update is malicious or not by analyzing its content.
In 2020, we estimated that appending an xref section and a trailer is sufficient to bypass the detection mechanisms of popular applications such as Adobe Reader and Foxit Reader.
Trailer-based Shadow Attack
The Signer's view on the document
The document contains a hidden content depicted as red text – the 4 0 obj containing the text “You are fired. Get out immediately” and an xref section pointing to that object. However, the trailer references another xref section, see (1) and (2). Thus, the red text is never shown.
From the signer's perspective, there is no possibility to detect the hidden content by opening and reviewing the document.
As a result, the signer, for example the company director, signs the document.
The Victim's view on the document
The attacker appends only a trailer that points to the hidden malicious xref section (the red one). When the victim opens the document, the content “You are fired. Get out immediately” is shown.
However, the digital signature validation does not throw any warning since … well … what could go wrong if only a trailer is appended.
Honest vs. Malicious Trailer
Impact and Exploit
Foxit acknowledged the attack and published a security fix with the new version Foxit Reader 11.1.
If you think that your application might be vulnerable to the attack, then just download the exploit and test on your own.
Authors of this post