DESCRIPTION
Our highly secure file validation application using digital signatures has been abused. An attacker managed to upload an illegitimate file containing his bank account details and money was transfered there. We are unaware how this could have happened since after the file upload, the account details are verified and automatic transfers are done only on re-uploaded verified, signed documents. We have provided you with code samples from our system, help us trace down this issue. We have added a check in our development server to look for phrase "broken", which should replace the bank account number line in the signed document.
QUESTION
Generate and submit a pdf file, with the IBAN:
broken
that passes the all the checks.
Code sample of the application: http://10.195.165.94/cryptography/enc3/code_snippets
Development server: http://10.12.32.136:9000
SOLUTION
# script to craft MD5 collisions of 2 PDFs via mutool and UniColl
# Ange Albertini 2018
import os
import sys
import hashlib
def EnclosedString(d, starts, ends):
off = d.find(starts) + len(starts)
return d[off:d.find(ends, off)]
def getCount(d):
s = EnclosedString(d, "/Count ", "/")
count = int(s)
return count
def procreate(l): # :p
return " 0 R ".join(l) + " 0 R"
if len(sys.argv) == 1:
print("PDF MD5 collider")
print("Usage: pdf.py <file1.pdf> <file2.pdf>")
sys.exit()
os.system('mutool merge -o first.pdf %s' % sys.argv[1])
os.system('mutool merge -o second.pdf %s' % sys.argv[2])
os.system('mutool merge -o merged.pdf dummy.pdf %s %s' % (sys.argv[1], sys.argv[2]))
with open("first.pdf", "rb") as f:
d1 = f.read()
with open("second.pdf", "rb") as f:
d2 = f.read()
with open("merged.pdf", "rb") as f:
dm = f.read()
COUNT1 = getCount(d1)
COUNT2 = getCount(d2)
kids = EnclosedString(dm, "/Kids[", "]")
# we skip the first dummy, and the last " 0 R" string
pages = kids[:-4].split(" 0 R ")[1:]
template = """%%PDF-1.4
1 0 obj
<<
/Type /Catalog
%% for alignements (comments will be removed by merging or cleaning)
/MD5_is__ /REALLY_dead_now__
/Pages 2 0 R
%% to make sure we don't get rid of the other pages when garbage collecting
/Fakes 3 0 R
%% placeholder for UniColl collision blocks
/0123456789ABCDEF0123456789ABCDEF012
/0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0123456789ABCDEF0
>>
endobj
2 0 obj
<</Type/Pages/Count %(COUNT2)i/Kids[%(KIDS2)s]>>
endobj
3 0 obj
<</Type/Pages/Count %(COUNT1)i/Kids[%(KIDS1)s]>>
endobj
4 0 obj %% overwritten - was a fake page to fool merging
<< >>
endobj
"""
KIDS1 = procreate(pages[:getCount(d1)])
KIDS2 = procreate(pages[getCount(d1):])
with open("hacked.pdf", "wb") as f:
f.write(template % locals())
# adjust parents for the first set of pages
f.write(dm[dm.find("5 0 obj"):].replace("/Parent 2 0 R", "/Parent 3 0 R", COUNT1))
# let's adjust offsets - -g to get rid of object 4 by garbage collecting
# (yes, errors will appear)
os.system('mutool clean -gggg hacked.pdf cleaned.pdf')
with open("cleaned.pdf", "rb") as f:
cleaned = f.read()
# some mutool versions do different stuff :(
cleaned = cleaned.replace(
" 65536 f \n0000000016 00000 n \n",
" 65536 f \n0000000018 00000 n \n",
1)
with open("pdf1.bin", "rb") as f:
prefix1 = f.read()
with open("pdf2.bin", "rb") as f:
prefix2 = f.read()
file1 = prefix1 + "\n" + cleaned[192:]
file2 = prefix2 + "\n" + cleaned[192:]
with open("collision1.pdf", "wb") as f:
f.write(file1)
with open("collision2.pdf", "wb") as f:
f.write(file2)
assert hashlib.md5(file1).digest() == hashlib.md5(file2).digest()
os.remove('first.pdf')
os.remove('second.pdf')
os.remove('merged.pdf')
os.remove('hacked.pdf')
os.remove('cleaned.pdf')
Python