A binary chimera

Transcript

1. a binary chimera 3 headers & 1 data body in

   a single file Ange Albertini, March 2014

2. chimera kʌɪˈmɪərə,kɪ-/ noun 1. (in Greek mythology) a fire-breathing female

   monster with a lion's head, a goat's body, and a serpent's tail.
3. None

4. what is it ? a file that is: • a

   JPG • a PDF • a ZIP

5. that’s all? is it just 3 stacked formats ? if

   only >:-)

6. a binary chimera the image data is present only once:

   all 3 file formats rely on the same body. 1 data body, 3 different headers (PDF/ZIP/JPG) → chimera

7. why? • why not! • just a PoC for me

   ◦ but maybe a fixed bug for you it shows that • too many file format specs suck! ◦ which decreases our security

8. starting ideas • PDF can use unmodified JPG files ◦

   we just need to duplicate the JPG header ◦ and trick the JPG header to find its data ‘further’ than expected • ZIP can store data unmodified ◦ we just need to trick ZIP structure to find its file data within the PDF

9. magic signature • JPEG FF D8 offset 0 • PDF

   %PDF-1.x within range 0-1024 • ZIP PK\x03\x04 anywhere → our file starts with FF D8 at offset 0 we need to ‘hide’ the rest

10. hiding PDF/ZIP data from JPEG • JPEG is chunk-based (called

    segments) → add comment segments to cover PDF/ZIP syntax: FF FE <length:+2> <data>

11. hiding JPEG/ZIP data from PDF • PDF is not parsed

    until signature is met → the JPEG header is ignored • PDF is object-based • dummy stream objects to cover ZIP/JPG

12. PDF stream object <unused number> 0 obj <<>> stream <data>

    endstream endobj

13. Problem: in a ZIP, data is following LocalFileHeader start of

    PDF image object overlaps LocalFileHeader :( Solution: ZIP contains 2 filenames entries: • in CentralDirectory (important one) • in each LocalFileHeader (discardable) → abused LFH’s filename to overlap PDF object start (not 100% compatible)

14. elegance++ • cover extra data after JPEG end with superfluous

    comment segment • covert extra PDF data by extending ZIP archive comment (in EoCD)

15. summary

16. None

17. icing on the cake • all written by hand •

    generated in ASM • not specific to my JPEG/PDF/ZIP data as usual ;)

18. partial failure not fully “compatible” • ZIP LFH name corrupted

    :( ◦ 7z, ZipFile don’t support it • Adobe Reader blacklists JPEGs-starting PDFs → need to slightly corrupt JPEG header → some JPEG viewers don’t support it :( JPEG corrupted to let PDF open under Adobe easy to fix, would break Adobe

19. Conclusion • yet another kind of file format puzzle ◦

    new? • chimeras aren’t legend anymore :p • source & PoC ◦ http://corkami.googlecode.com/svn/trunk/src/chimera

20. ACK Binary masters • Julia Wolf, Jonas Magazinius, Gynvael Coldwind

    PoC||GTFO neighbors • Travis Goodspeed, Sergey Bratus Feedbackers • @munin @LeBurek @rfc1459 @InfoSec208 Promising jedi ;) • Dominique Bongard

21. Questions/suggestions? @angealbertini

22. Want more? read PoC||GTFO !