Colltris

Ange Albertini
Ange Albertini
1

View Slide

A workshop by LET’s PLAY
LET’s PLAY
A.K.A.
Ange Albertini
with files
2022/06/12
233 slides
2

View Slide

Welcome
I made this deck to share my knowledge, but also to learn from you.
The slides are public and have been improved several times whenever needed.
It may not cover all perspectives or answer all questions,
so feel free to
Reach me at @angealbertini or ✉ [email protected]
with questions, one-liners, suggestions...
Versions:
2019/07/02 150p (Pass The Salt)
2019/07/24 199p (Google)
2019/08/19 208p (Google)
2019/10/23 222p (Hack.lu)
2019/11/07 225p (Black Alps)
2019/12/03 229p (Google)
2022/06/12 233p
This desk's URL is:
https://speakerdeck.com/ange/colltris
Make sure you have the latest version.
Color blind ?
LMK if you're having
any troubles.
3

View Slide

TL;DR (for experts)
Hash collisions existed for more than a decade and are often misunderstood:
- exageration: "MD5 is broken, just don't use it!"
- understatement: "It always takes hours!"
Generating colliding files can be sped up (from hours to instant)
via tricks specific to some file formats: which ones, and why?
This workshop aims to clarify these topics (and avoid the crypto).
4
THE CURRENT SLIDE IS AN
A CORKAMI ORIGINAL PRODUCTION
HONEST TALK TRAILER

View Slide

Everybody is a genius.
But if you judge a fish by its ability to climb a tree,
it will live its whole life believing that it is stupid. not Albert Einstein
No gatekeeping,
no dogma,
no cult.
Don't show off, share knowledge.
It's just better for everyone.
Please be considerate.
5

View Slide

☐ Hash collisions attacks: FastColl/UniColl/HashClash/Shattered.
☐ File formats abuses: shuffling, parasites, polyglots.
☐ Hash functions: MD5/SHA1, blocks, length extension.
☐ File formats: magic, header, body, chunks, footer.
☐ Hexadecimal / ASCII / hex viewer / endianness.
Knowledge points checklist (✓/✗)
6

View Slide

Contents
Introduction
Goals
Basics
Prerequisites
Main
Coll
1
: FastColl
File formats basics
Coll
2
: UniColl
Exploit
1
: PNG
Coll
3
: HashClash*
Exploit
2
: PE
Coll
4
: Shattered
Coll
5
: Shambles
Final
Wrap up
Extras
Exploit
3
: GIF
There are only 5 existing
collisions attacks!
*HashClash is actually the name of the whole project.
But HashClashCPC is too long :)
7

View Slide

- Reversing since the 80's
- Author of Corkami
- PoC or GTFO*
About the author
Professionally
- malware analysis
- infosec research
my license plate is a CPU,
my phone case is a PDF doc,
my resume is a PDF/SNES/Genesis rom.
8
https://github.com/angea/pocorgtfo/blob/master/README.md

View Slide

Incident
Response
Black hat
White hat
DIGItal
PREServation
User
DEVelopment
9
...and I’m interested in all of them.
,
My life is about file formats - they're my toys.
There are various
(with a few things in common)
communities around
file formats

View Slide

Hash functions
(only 5 slides)
A gentle introduction to...
10

View Slide

Returns from any content a big fixed-size value, always different.
Impossible to guess a content from its hash value.
What’s a hash function? MD5, SHA1...
→ d41d8cd98f00b204e9800998ecf8427e
a → 01cc175b9c0f1b6a831c399e269772661
b → 92eb5ffee6ae2fec3ad71c777531578f
A → 7fc56270e7a70fa81a5935b72eacbe29
? ← d41d8cd98f00b204e9800998ecf8427f
? ← d41d8cd98f00b204e9800998ecf8427d
also called ‘checksum’
␣
11

View Slide

If two contents have the same hash,
they are (assumed to be) identical (if the hash is secure)
Hashes are used:
- to check passwords (compute input hash, compare with stored value)
Confidential - do not share → a59250af3300a8050106a67498a930f7
p4ssw0rd → 2a9d119df47ff993b662a8ef36f9ea20
- to validate content integrity
- to index files (ex: your pictures in the cloud)
12

View Slide

This example uses the crypt(3) hash.
...unless there is a hash collision:
two dif ferent contents with the same hash result.
$ python
[...]
>>> crypt.crypt("5dUD&66", salt="br")
'brokenOz4KxMc'
>>> crypt.crypt("O!>',%$", salt="br")
'brokenOz4KxMc'
>>> _
13

View Slide

Hash collision != password cracking
Password cracking (HashCat, John the Ripper):
finds a string that matches a value, a hash.
Hash collision (HashClash, Shattered):
Make Content
Good
and Content
Bad
with the same hash.
14

View Slide

What’s the extent of a hash collision?
It’s impossible to generate a file with predetermined hash
with MD5 or SHA1.
We can only generate two (or more) different files
that have the same hash.
With some file types, we can instantly generate files
that render the same way (via some tricks).
Cf Lessons from the history of attacks on secure hash-functions
(Pre-image attack)
But Maraca and Snefru were broken.
15

View Slide

Results 1/2
Instant MD5 collisions, with no recomputation
16
https://github.com/corkami/collisions
PDF
MP4
JPG
PNG

View Slide

Results - 2/2 (also DocX, GZIP, 3MF…)
GIF
PE
JP2
17

View Slide

Just new collisions?
Instant, reusable and generic collisions:
Take any pair of files, run script, get colliding files.
Ex: script -> output recording
In some cases (PDFs), the colliding files are 100% standard:
From a parser perspective,
the contents are unmodified: only the files’ structures are.
$ time ./png.py yes.png no.png
real 0m0.039s
user 0m0.025s
sys 0m0.017s
$ md5sum collision*.png
7af5775114be02b9b2594418a68a4cb8 collision1.png
7af5775114be02b9b2594418a68a4cb8 collision2.png
18

View Slide

Demystifying long-lasting myths
Hash collisions are usually perceived to apply only to:
1. a pair of files
2. of the same file type
3. Colliding files are expected to be very different.
19

View Slide

instant & generic PDF/PE/PNG/MP4 collision
A multi-type quartet of an executable, image, video, document.
https://github.com/angea/pocorgtfo/blob/master/README.md#0x19
A tree of 3 HashClash!
20

View Slide

A 60 page LaTeX-generated PDF...
...showing its MD5...
...showing the same MD5!
...also a NES rom...
Tiny change (text), same MD5
609 FastColls in the file!
<= alternate cover
but same MD5!
Mmm, seaf00d...
21

View Slide

Tiny change (background image), same SHA1
Two covers via a "dual-content" JPG
and 2 payloads via HTML polyglot
A 64 page LaTeX-generated PDF...
22

View Slide

Don't be fooled: shortcuts are necessary
Instant & generic collisions rely on attacks and file formats tricks.
Some formats have no suitable tricks.
-> no generic collisions for ELF, Mach-O, ZIP, TAR, Class…
These tricks will be reusable with future collision attacks:
the same JPEG trick was reused with 3 hash collisions (MD5, MalSHA1, Sha1)
23

View Slide

24

View Slide

- F ile formats structures and manipulations
- Understand hash collisions attacks and their exploits
- Create your own exploits
Goals of this workshop
their impacts and limits,
without all the internal details
A system that you study indexes f iles with MD5: what can you do?
25

View Slide

"No one uses MD5 anymore!" ?
https://citizenlab.ca/2019/07/cant-picture-this-2-an-analysis-of-wechats-realtime-image-filtering-in-chats/
26

View Slide

the Shattered attack
A computation of the attack documented in Stevens13
using a JPG in a PDF exploit
crypto attack
pwnie
best
CRYPTO17 paper
what this slide deck is about
(more details about shattered here)
You may have heard of…
nominated for
Péter Szőr award
Official paper
Presentations:
- Marc (crypto) video
- Pierre (computation) video / slides
- Elie (high level) video / slides
- Ange (file formats) video / slides 27

View Slide

Uses of hashes
- check if contents have changed:
✓ do nothing
✗ refresh file [if newer...]
- provide randomization:
✓user id
✗ crypto key
- match a file to a file/set (white/blacklisting, indexing)
✗ if the set is user-controlled
28

View Slide

*rendering-wise, not structure-wise.
Use cases
A system uses MD5 to index/check integrity. Is it safe?
Collide a normal* file with a malicious one.
You can even do it on the fly!
To get instant collisions, a few hours of research and computation is usually enough.
29

View Slide

Having troubles to convince?
Let f iles do the talking.
Threats? theory...
Exploits PoCs? reality!
Theoretical attacks to put in practice
immediate threat
30

View Slide

MD5 collisions: a good hacking chal lenge
Hacking a file format == reading + manipulating + abusing parsers
Crafting a re-usable collision requires all these skills, and leaves an undeniable proof.
A re-usable MD5 collision is a good & impactful exercise:
If the collision is instant, the files work and have the same MD5,
it sets in stone your knowledge of that file format,
and you have a proof (of concept).
31

View Slide

.Don't be scared…
Hash Functions
Attacks
on
https://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf
-Crypto-
-Tales-
Crypto
Tales
-from the-
from the
32

View Slide

You don’t need to
understand
crypto
graphy
or maths...
(to be honest, I don’t either)
We'l l just use existing attacks:
FastColl, UniColl, HashClash, Shattered - yes, that’s al l!
33

View Slide

You don’t have to be an expert in f ile formats.
34

View Slide

header
Tail
Body
(less complex than some lego models)
You just need to know
their overall structure.
Leg
35

View Slide

Even this
is too much!
✗
✗
36

View Slide

✓
✓
PNG structure
You only need to understand the high level structure (not the whole thing)
37

View Slide

000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
010: 00 00 00 03 00 00 00 01 08 02 00 00 00 94 82 83
020: E3 00 00 00 15 .I .D .A .T 08 1D 01 0A 00 F5 FF
030: 00 FF 00 00 00 FF 00 00 00 FF 0E FB 02 FE E9 32
040: 61 E5 00 00 00 00 .I .E .N .D AE 42 60 82
89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
94 82 83
E3 00 00 00 15 .I .D .A .T
E9 32
61 E5 00 00 00 00 .I .E .N .D AE 42 60 82
And we’l l ignore most contents, so we’l l just think in blocks.
38

View Slide

To be honest
Exploiting hash collisions
feels a bit like...
39

View Slide

COLLT IS
COLLT IS
COLLT IS
Ange Albertini
Ange Albertini
...playing a puzzle game!
40

View Slide

You just need to know
the rules of each block!
41

View Slide

For a simpler introduction to the topic, check this.slides / video
42

View Slide

43

View Slide

You know hexadecimal?
44

View Slide

You know ASCII?
A standard encoding:
characters <=> values
"A" <=> 0x41 = 65
"Z" <=> 0x5A = 90
"a" <=> 0x61 = 97
45

View Slide

Memory addresses
Memory addresses
01 23
->
Big digits f irst
<-
Little digits f irst
→ 0x0123 = 291
You know endianness?
01 23 → 0x2301 = 8961
PNG, JPG, MP4, Class
TIFF
ZIP, BMP, GZip
Executables: ARM (default), x86, x64
TIFF
Exists in both
endianness
Formats
Reading like many processors.
Reading like humans.
46

View Slide

You know hexadecimal viewers?
000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
010: 00 00 00 03 00 00 00 01 08 02 00 00 00 94 82 83
020: E3 00 00 00 15 .I .D .A .T 08 1D 01 0A 00 F5 FF
030: 00 FF 00 00 00 FF 00 00 00 FF 0E FB 02 FE E9 32
040: 61 E5 00 00 00 00 .I .E .N .D AE 42 60 82
Start in the
top-left corner +1
+0x10
Offsets
Contents
Kaitai
XXD/Hexedit/Okteta/Bvi/Dhex
Hex Fiend
HxD/Hiew
Web
Linux
Mac
Win
Recommended hex tools
Note: for this workshop, wrapping at 0x10 / 16 bytes is important.
47

View Slide

What are hash collisions in practice?
A computation that generates
two distinct contents with the same hash.
We can set the start of these contents - we'll see why.
A hash collision generates a lot of randomness!
-> the final hash is not known in advance.
48

View Slide

Prerequisites-
49

View Slide

https://github.com/cr-marcstevens/hashclash
Cuda is not required
HashClash
download source and compile, or
download release binaries
HashClash,
not HashCat.
May require psmisc
and autoconf-archive
Prerequisites 1/2
~/git/hashclash/bin$ ls md5*
md5_birthdaysearch md5_diffpathconnect md5_diffpathhelper
md5_diffpathbackward md5_diffpathforward md5_fastcoll
Check that the executables are there!
src/sha1attackgenerator/collfind.cpp:1266:64: warning:
[-Wshift-overflow=]
if (((Q20bu+(m15add<<20))&Q20mask)==Q20val && (((Q21b
A few warnings will happen but it's OK!:
50
To run your own computations:

View Slide

Can’t compile? Computation too slow?
Compiling and computing can be troublesome.
In case, all the computed examples of the slides are available:
https://github.com/corkami/collisions/tree/master/workshop/prefixes
So you can skip that step and focus on file manipulation (if you prefer).
OTOH you may want to at least try to run FastColl: it’s instant and never fails.
Even works with Wine w/ Windows binaries:
51
corkami:~$ wine ~/fastcoll_v1.0.0.5.exe
MD5 collision generator v1.5
by Marc Stevens (http://www.win.tue.nl/hashclash/)
Allowed options:
-h [ --help ] Show options.
-q [ --quiet ] Be less verbose.
-i [ --ihv ] arg Use specified initial value. Default is MD5 initial
value.
-p [ --prefixfile ] arg Calculate initial value using given prefixfile. Also
copies data to output files.
-o [ --out ] arg Set output filenames. This must be the last option
and exactly 2 filenames must be specified.
cf5600ab

View Slide

Hex editor, assembly, scripting…
Whatever rocks your boat and you’re familiar with.
A f ile format manipulation environment
A copy of Corkami/collisions
(contains materials for this workshop)
https://github.com/corkami/collisions
Prerequisites 2/2
Kaitai
XXD/Hexedit/Okteta/Bvi/Dhex
Hex Fiend
HxD/Hiew
Web
Linux
Mac
Win
Recommended hex tools
52
A copy of these slides (for readability if needed)
https://speakerdeck.com/ange/colltris

View Slide

Kaitai 101
If you’re not familiar with hex viewing:
53
A pretty awesome tool
with a great online viewer
(no modif ications of the f iles are allowed)
https://ide.kaitai.io

View Slide

Kaitai in a nutshell
- Uses YAML-based parsers. Many formats are already supported.
- Drop your file on the IDE, select the file format.
- if you modify the YAML source (for ex: to remove unneeded details),
the modified version is saved locally and reusable/downloadable.
Drawback: instantly fails on invalid files
(but you can fix that directly in the GUI).
54

View Slide

55

View Slide

hex viewer
YAML
editor
parsed
output
available
formats
Demo
samples
Your f iles
56

View Slide

If you're not familiar with format manipulations
- Skim through some specs. Get an idea of the high level structure.
- Look for possible shortcuts that a parser might take, such as:
- Secondary structures might be absent or corrupted -> parasitizing
- Structures order might not be enforced -> shuffling
- Check standard open-source implementations.
All the referenced scripts are on the Corkami GitHub: https://github.com/corkami/collisions
57

View Slide

01-fastcoll-1.bin .
0000 0000: 37 75 C1 F1 C4 A7 5A E7 9C E0 DE 7A 5B 10 80 26 7u....Z. ...z[..& .
0000 0010: 02 AB D9 39 C9 6C 5F 02 12 C2 7F DA CD 0D A3 B0 ...9.l_. ........ .
0000 0020: 8C ED FA F3 E1 A3 FD B4 EF 09 E7 FB B1 C3 99 1D ........ ........ .
0000 0030: CD 91 C8 45 E6 6E FD 3D C7 BB 61 52 3E F4 E0 38 ...E.n.= ..aR>..8 .
0000 0040: 49 11 85 69 EB CC 17 9C 93 4F 40 EB 33 02 AD 20 I..i.... [email protected] .
0000 0050: A4 09 2D FB 15 FA 20 1D D1 DB 17 CD DD 29 59 1E ..-... . .....)Y. .
0000 0060: 39 89 9E F6 79 46 9F E6 8B 85 C5 EF DE 42 4F 46 9...yF.. .....BOF .
0000 0070: C2 78 75 9D 8B 65 F4 50 EA 21 C5 59 18 62 FF 7B .xu..e.P .!.Y.b.{ .
01-fastcoll-2.bin ..
0000 0000: 37 75 C1 F1 C4 A7 5A E7 9C E0 DE 7A 5B 10 80 26 7u....Z. ...z[..& .
0000 0010: 02 AB D9 B9 C9 6C 5F 02 12 C2 7F DA CD 0D A3 B0 .....l_. ........ .
0000 0020: 8C ED FA F3 E1 A3 FD B4 EF 09 E7 FB B1 43 9A 1D ........ .....C.. .
0000 0030: CD 91 C8 45 E6 6E FD 3D C7 BB 61 D2 3E F4 E0 38 ...E.n.= ..a.>..8 .
0000 0040: 49 11 85 69 EB CC 17 9C 93 4F 40 EB 33 02 AD 20 I..i.... [email protected] .
0000 0050: A4 09 2D 7B 15 FA 20 1D D1 DB 17 CD DD 29 59 1E ..-{.. . .....)Y. .
0000 0060: 39 89 9E F6 79 46 9F E6 8B 85 C5 EF DE C2 4E 46 9...yF.. ......NF .
0000 0070: C2 78 75 9D 8B 65 F4 50 EA 21 C5 D9 18 62 FF 7B .xu..e.P .!...b.{ .
…..────────────────────┐
│Arrow keys move F find RET next difference ESC quit T move top │
│C ASCII/EBCDIC E edit file G goto position Q quit B move bottom │
└───────────────────────────────────────────────────────────────
───────┘
Efficient
diffing
58
VBinDiff
$ diff <(xxd 01-fastcoll-1.bin) <(xxd 01-fastcoll-2.bin)
2,4c2,4
< 00000010: 02ab d939 c96c 5f02 12c2 7fda cd0d a3b0 ...9.l_.........
< 00000020: 8ced faf3 e1a3 fdb4 ef09 e7fb b1c3 991d ................
< 00000030: cd91 c845 e66e fd3d c7bb 6152 3ef4 e038 ...E.n.=..aR>..8
---
> 00000010: 02ab d9b9 c96c 5f02 12c2 7fda cd0d a3b0 .....l_.........
> 00000020: 8ced faf3 e1a3 fdb4 ef09 e7fb b143 9a1d .............C..
> 00000030: cd91 c845 e66e fd3d c7bb 61d2 3ef4 e038 ...E.n.=..a.>..8
6,8c6,8
< 00000050: a409 2dfb 15fa 201d d1db 17cd dd29 591e ..-... ......)Y.
< 00000060: 3989 9ef6 7946 9fe6 8b85 c5ef de42 4f46 9...yF.......BOF
< 00000070: c278 759d 8b65 f450 ea21 c559 1862 ff7b .xu..e.P.!.Y.b.{
---
> 00000050: a409 2d7b 15fa 201d d1db 17cd dd29 591e ..-{.. ......)Y.
> 00000060: 3989 9ef6 7946 9fe6 8b85 c5ef dec2 4e46 9...yF........NF
> 00000070: c278 759d 8b65 f450 ea21 c5d9 1862 ff7b .xu..e.P.!...b.{

View Slide

Radiff (from Radare)
~/git/corkami/collisions/workshop/prefixes$ radiff2 -x 10*
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x00000000! 6e6f0000000000000000000000000000 no.............. 79657300000000000000000000000000 yes.............
0x00000010 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
0x00000020 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
0x00000030! 00000000000000001971e7f70972fb06 .........q...r.. 0000000000000000b74638098a46f17b .........F8..F.{
0x00000040 f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#. f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#.
0x00000050 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu
0x00000060! 9198a2d3e0fd59edd1c5fa0b79659751 ......Y.....ye.Q 9198a2d3e0fd59edd1c5fa0b7965974d ......Y.....ye.M
0x00000070 b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^. b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^.
0x00000080 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#. 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#.
...
0x000000a0! ba784000c37e93b231a36e2d34724ac9 [email protected]~..1.n-4rJ. ba784000c37e93b231a36e2d346a4ac9 [email protected]~..1.n-4jJ.
0x000000b0 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a. 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a.
0x000000c0 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+... 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+...
...
0x000000e0! 7d86e4351eb833eeea15d181fa9662ec }..5..3.......b. 7d86e4351eb833eeea15d181ba9662ec }..5..3.......b.
0x000000f0 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....).. 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....)..
0x00000100 a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A".. a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A"..
...
0x00000120! 8bc95c93a5efa4227d9a66516eedaf70 ..\...."}.fQn..p 8bc95c93a5efa4227d9a66516eedad70 ..\...."}.fQn..p
0x00000130 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr' 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr'
0x00000140 e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s... e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s...
...
0x00000160! e860db910013c91d7a619b9a5d60bd71 .`......za..]`.q e860db910013c91d7a619b9a5d5ebd71 .`......za..]^.q
0x00000170 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc. 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc.
0x00000180 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ. 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ.
...
...
0x00000220! e6186ee3f052e435836142357297cd8d ..n..R.5.aB5r... e6186ee3f052e435836142357297c58d ..n..R.5.aB5r...
0x00000230 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B.... 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B....
0x00000240 ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......, ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......,
...
0x00000260! 4f9cfa623d4246596732ec99da897a08 O..b=BFYg2....z. 4f9cfa623d4246596732ec99da897a88 O..b=BFYg2....z.
0x00000270 e7ade321ed3c4bc04d9f833cdc7fb70a ...!.~/git/corkami/collisions/workshop/prefixes$ radiff2 -x 10*
offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
0x00000000! 6e6f0000000000000000000000000000 no.............. 79657300000000000000000000000000 yes.............
0x00000010 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
0x00000020 00000000000000000000000000000000 ................ 00000000000000000000000000000000 ................
0x00000030! 00000000000000001971e7f70972fb06 .........q...r.. 0000000000000000b74638098a46f17b .........F8..F.{
0x00000040 f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#. f34526136660c801b92a75255a6723a6 .E&.f`...*u%Zg#.
0x00000050 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu 923deb8db0b757f1459f2295bec04375 .=....W.E."...Cu
0x00000060! 9198a2d3e0fd59edd1c5fa0b79659751 ......Y.....ye.Q 9198a2d3e0fd59edd1c5fa0b7965974d ......Y.....ye.M
0x00000070 b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^. b3b3e40c110c9032de4ba14bb81b5ec8 .......2.K.K..^.
0x00000080 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#. 25d38f19cd104307d9bbff8cb75a23f9 %.....C......Z#.
...
0x000000a0! ba784000c37e93b231a36e2d34724ac9 [email protected]~..1.n-4rJ. ba784000c37e93b231a36e2d346a4ac9 [email protected]~..1.n-4jJ.
0x000000b0 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a. 534ec045361ec86a5698e6f0571d6198 SN.E6..jV...W.a.
0x000000c0 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+... 13fcffcd4d83a2d2bbb8dc042be2b883 ....M.......+...
...
0x000000e0! 7d86e4351eb833eeea15d181fa9662ec }..5..3.......b. 7d86e4351eb833eeea15d181ba9662ec }..5..3.......b.
0x000000f0 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....).. 7531fbda4fae246f67d6af109629fbc7 u1..O.$og....)..
0x00000100 a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A".. a332bba9ead5e4ae1fc2fb234122b2e0 .2.........#A"..
...
0x00000120! 8bc95c93a5efa4227d9a66516eedaf70 ..\...."}.fQn..p 8bc95c93a5efa4227d9a66516eedad70 ..\...."}.fQn..p
0x00000130 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr' 3290d4bd6792389bdc150dbfdc717227 2...g.8......qr'
0x00000140 e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s... e05b43fa4459e860f7637ff0730ad4be .[C.DY.`.c..s...
...
0x00000160! e860db910013c91d7a619b9a5d60bd71 .`......za..]`.q e860db910013c91d7a619b9a5d5ebd71 .`......za..]^.q
0x00000170 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc. 231ad2bda6e038660b8cf599567963d6 #.....8f....Vyc.
0x00000180 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ. 6e5ed77ec34e9d5f6523c038c9555aa1 n^.~.N._e#.8.UZ.
...
0x000001a0! 0260f662913470fec334546d7607ff1a .`.b.4p..4Tmv... 0260f662913470fec334546d76077f1a .`.b.4p..4Tmv...
0x000001b0 7353e60b08fb8280ad5f22151869b56e sS......._"..i.n 7353e60b08fb8280ad5f22151869b56e sS......._"..i.n
0x000001c0 bb06c3a7ff391552befed45cd2555a71 .....9.R...\.UZq bb06c3a7ff391552befed45cd2555a71 .....9.R...\.UZq
...
0x000001e0! 1f8a9ad842bf6c016a3926846c58e2e4 ....B.l.j9&.lX.. 1f8a9ad842bf6c016a3926847458e2e4 ....B.l.j9&.tX..
0x000001f0 00d4677b27bd936ddff0104a2b007e68 ..g{'..m...J+.~h 00d4677b27bd936ddff0104a2b007e68 ..g{'..m...J+.~h
0x00000200 1dded58a6789ea520c32bd30a28cbed0 ....g..R.2.0.... 1dded58a6789ea520c32bd30a28cbed0 ....g..R.2.0....
...
0x00000220! e6186ee3f052e435836142357297cd8d ..n..R.5.aB5r... e6186ee3f052e435836142357297c58d ..n..R.5.aB5r...
0x00000230 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B.... 4ff793685a705f5a043ad542c1fa0fe2 O..hZp_Z.:.B....
0x00000240 ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......, ae57dbaff151b8b73818ef2eb8a6a92c .W...Q..8......,
...
0x00000260! 4f9cfa623d4246596732ec99da897a08 O..b=BFYg2....z. 4f9cfa623d4246596732ec99da897a88 O..b=BFYg2....z.
0x00000270 e7ade321ed3c4bc04d9f833cdc7fb70a ...!.https://r2wiki.readthedocs.io/en/latest/tools/radiff2/
59

View Slide

60
60

View Slide

The f irst block in our game:
An Identical Pref ix Collision - FastColl
61

View Slide

Collision computing is a very random process
Many possible problems across the different attacks:
- variable computing time
- different results from each execution.
- final result might just not collide.
- computation might be stalled.
-> restart/backtracking might be required.
Warning
https://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf#page=110
https://github.com/cr-marcstevens/hashclash/blob/master/src/md5fastcoll/main.cpp#L106
seed32_1 = uint32(time(NULL));
Ex: with
FastCo
ll
from 0.3 to 13s
on the same machine!
62

View Slide

63

View Slide

From nothing, generate 2 f iles with the same md5.
Create an empty f ile, run FastColl on it (recording).
bin$ md5_fastcoll -p empty
Using output filenames: 'msg1.bin' and 'msg2.bin'
Using prefixfile: 'empty'
Using initial value: 0123456789abcdeffedcba9876543210
Generating first block: .
Generating second block: W.....
Running time: 0.343 s
bin$ _
Mission
Example
bin$ touch empty
bin$ du -b empty
0 empty
bin$ _
64

View Slide

00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26 7u┴±─ºZτ£α▐z[►Ç&
10: 02 AB D9 B9-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0 ☻½┘╣╔l_☻↕┬⌂┌═♪ú░
20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 43 9A 1D îφ·≤ßú²┤∩○τ√▒CÜ↔
30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 D2-3E F4 E0 38 ═æ╚Eµn²=╟╗a╥>⌠α8
40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20 I◄àiδ╠↨£ô[email protected]δ3☻¡
50: A4 09 2D 7B-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E ñ○-{§· ↔╤█↨═▌)Y▲
60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE C2 4E 46 9ë₧÷yFƒµïà┼∩▐┬NF
70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 D9-18 62 FF 7B ┬xu¥ïe⌠PΩ!┼┘↑b {
Our f irst hash collision
00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26 7u┴±─ºZτ£α▐z[►Ç&
10: 02 AB D9 39-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0 ☻½┘9╔l_☻↕┬⌂┌═♪ú░
20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 C3 99 1D îφ·≤ßú²┤∩○τ√▒├Ö↔
30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 52-3E F4 E0 38 ═æ╚Eµn²=╟╗aR>⌠α8
40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20 I◄àiδ╠↨£ô[email protected]δ3☻¡
50: A4 09 2D FB-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E ñ○-√§· ↔╤█↨═▌)Y▲
60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE 42 4F 46 9ë₧÷yFƒµïà┼∩▐BOF
70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 59-18 62 FF 7B ┬xu¥ïe⌠PΩ!┼Y↑b {
- two blocks of 64 bytes
- totally random
- a few tiny differences
(Your results will be different) 65

View Slide

Try again in the same conditions -> different computation time.
bin$ md5_fastcoll -p empty
Using prefixfile: 'empty'
Using initial value: 0123456789abcdeffedcba9876543210
Generating first block: ........................
Generating second block: S10...............
bin$ _
Mission
66

View Slide

00: 1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A ↔ÆV╔4÷╞≥╔♀ùÉ¬▬U*
10: 68 00 E7 C4-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2 h τ─îV9ΦGªÇªM░+≥
20: F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 90 DD 72 ÷↕╥µ╨¼‼-∩ ≡▄‼É▌r
30: 32 99 B0 BB-C7 65 A6 66-73 10 56 7C-9C 5F 45 8B 2Ö░╗╟eªfs►V|£_Eï
40: 61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00 av╔V>▀~(█½▄d┤ÜD
50: D3 4D BC 9E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6 ╙M╝₧Ç∟▓8╔│@g→`¿╞
60: D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 94 F9 1C ╙╗H◘»♦0▬╕☺►[Æö∙∟
70: 3D 3C C6 AC-FF 2C FD AD-DB 2C 2C CF-C1 06 9B 50 =<╞¼ ,²¡█,,╧┴♠¢P
00: 1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A ↔ÆV╔4÷╞≥╔♀ùÉ¬▬U*
10: 68 00 E7 44-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2 h τDîV9ΦGªÇªM░+≥
20: F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 10 DE 72 ÷↕╥µ╨¼‼-∩ ≡▄‼►▐r
30: 32 99 B0 BB-C7 65 A6 66-73 10 56 FC-9C 5F 45 8B 2Ö░╗╟eªfs►Vⁿ£_Eï
40: 61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00 av╔V>▀~(█½▄d┤ÜD
50: D3 4D BC 1E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6 ╙M╝▲Ç∟▓8╔│@g→`¿╞
60: D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 14 F9 1C ╙╗H◘»♦0▬╕☺►[Æ¶∙∟
70: 3D 3C C6 AC-FF 2C FD AD-DB 2C 2C 4F-C1 06 9B 50 =<╞¼ ,²¡█,,O┴♠¢P
Our second colliding pair
- completely different
- still random-looking
-> let’s ignore the ASCII!
- differences at the same offsets
(that’s how it works)
67

View Slide

…a big pile of…-
computed randomness-
…with tiny differences.-
A hash collision is...-
(in the case of these MD5/SHA1 attacks)-
Reminder: the final hash is not known in advance.- 68

View Slide

1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A
68 00 E7 44-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2
F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 10 DE 72
32 99 B0 BB-C7 65 A6 66-73 10 56 FC-9C 5F 45 8B
61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00
D3 4D BC 1E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6
D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 14 F9 1C
3D 3C C6 AC-FF 2C FD AD-DB 2C 2C 4F-C1 06 9B 50
1D 92 56 C9-34 F6 C6 F2-C9 0C 97 90-AA 16 55 2A
68 00 E7 C4-8C 56 39 E8-47 A6 80 A6-4D B0 2B F2
F6 12 D2 E6-D0 AC 13 2D-EF FF F0 DC-13 90 DD 72
32 99 B0 BB-C7 65 A6 66-73 10 56 7C-9C 5F 45 8B
61 76 C9 56-3E DF 7E 28-DB AB DC 64-B4 9A 44 00
D3 4D BC 9E-80 1C B2 38-C9 B3 40 67-1A 60 A8 C6
D3 BB 48 08-AF 04 30 16-B8 01 10 5B-92 94 F9 1C
3D 3C C6 AC-FF 2C FD AD-DB 2C 2C CF-C1 06 9B 50
37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
02 AB D9 39-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 C3 99 1D
CD 91 C8 45-E6 6E FD 3D-C7 BB 61 52-3E F4 E0 38
49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
A4 09 2D FB-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE 42 4F 46
C2 78 75 9D-8B 65 F4 50-EA 21 C5 59-18 62 FF 7B
37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
02 AB D9 B9-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 43 9A 1D
CD 91 C8 45-E6 6E FD 3D-C7 BB 61 D2-3E F4 E0 38
49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
A4 09 2D 7B-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE C2 4E 46
C2 78 75 9D-8B 65 F4 50-EA 21 C5 D9-18 62 FF 7B
...and these differences are always at the same offsets
Chosen specifically because of weaknesses in the hash function..
For more details, check https://www.youtube.com/watch?v=iKE7DJd-PwU
The last ones are sometimes missing!
69

View Slide

Now let’s add an input - our pref ix.
The content and length of the prefix is not important here (example recording).
bin$ md5_fastcoll -p prefix
Using prefixfile: 'prefix'
Using initial value: 05ca8309f7b553d58845a18ab918a64c
Generating first block: ....
Generating second block: S10.........
bin$ _
bin$ cat prefix
Here is a file with a few bytes
bin$ du -b prefix
31 prefix
bin$ _
File
70

View Slide

File
Padding
Mission
- padded to 64 bytes
- collision blocks appended
- differences at the same
relative offsets
Similar blocks - added after padding to 64 bytes
00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
40: CE 84 07 61 4B BA 7A 3D 3A EA 8A AA F8 EE 1D E5
50: 44 17 9B 70 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 CB BE 02
70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 88 31 5E 7A 1D
80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
90: 13 F2 BF 56 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 83 FB E0
B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 AA D2 5C 30 C0
00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50: 44 17 9B F0 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 4B BF 02
70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 08 31 5E 7A 1D
80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
90: 13 F2 BF D6 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 03 FB E0
B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 2A D2 5C 30 C0
71

View Slide

MD5, SHA1 work by processing 64 bytes block, from start to end.
-> Appending the same thing
to two files with the same hash
will give files with the same hash.
Padded to 64 bytes?
Merkle–Damgård Construction
https://en.wikipedia.org/wiki/Merkle%E2%80%93Damg%C3%A5rd_construction
✓
✓ ✓
✓
at block
boundaries
Length extension attack
https://en.wikipedia.org/wiki/Length_extension_attack
72

View Slide

All current hash collisions attacks work with such alignment:
padding, then adding (at block boundaries) a number of blocks.
-> Via these attacks:
1. Every pair with the same hash will have the same length.
2. The end of the files is either identical (suffix),
Or high entropy, very similar and aligned to 64 bytes
(no suffix, just collision blocks).
Similarities of all current collision attacks
73

View Slide

We always work
with 64 bytes blocks.
It's really a block game!
Double-check your hex viewer wrapping!
(some viewers adjust their wrapping when you resize the window)
From now on...
74

View Slide

Hash collision
Computed your ﬁrst FastColl
Certificate (easy)
Ange Albertini
INSTRUCTOR
COLLT IS
75

View Slide

76
76

View Slide

Step 1/4 : the pref ix (optional)
PREFIX
Padding
77
We define the start of the file.
The collision computation will depend on it.
The prefix can be empty.
Its content and size make no difference at all.

View Slide

Step 2/4 : the padding (if needed)
PREFIX
Padding
78
We add some data to the prefix
to get a rounded size (a multiple of 64).
Its content doesn’t matter, only its length:
it just aligns things.

View Slide

Step 3/4 : the collision blocks
We compute a pair of blocks
full of randomness
with tiny differences.
Despite the differences,
the hash of both files is the same.
These collision blocks only work
for that exact prefix.
PREFIX
Padding
PREFIX
Padding
Differences
79

View Slide

Step 4/4 : the suffix
You can add anything to both sides
(not required).
The hash value will remain the same.
PREFIX
Padding
PREFIX
Padding
SUFFIX SUFFIX
80

View Slide

- takes a single input
- prefix and suffix will be identical:
-> files almost identical
-> exploitation depends only on
collision differences
-> two contents coexist in the same file.
An Identical Pref ix hash Collision
These properties are common to FastColl, Unicoll and Shattered.
81

View Slide

00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50: 44 17 9B F0 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 4B BF 02
70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 08 31 5E 7A 1D
80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
90: 13 F2 BF D6 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 03 FB E0
B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 2A D2 5C 30 C0
00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50: 44 17 9B 70 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 CB BE 02
70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 88 31 5E 7A 1D
80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
90: 13 F2 BF 56 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 83 FB E0
⇤ ⇥
#&%[email protected]
…‽…
…🛑?
What can we do
with this?
We can put whatever we want before and after the collision.
We need the following from the target file format:
Padding , for alignments
collision blocks’ randomness needs to be ignored
Differences needs to be taken into account
Several contents can co-exist
(usually appended data)
82

View Slide

- start and end aligned to 64 bytes
(via padding if needed)
- totally random
- tiny differences at fixed offsets
We can’t change these offsets.
(they depend on the hash function).
Hash collision blocks
These properties are common to all the attacks on MD5 or SHA1.
83

View Slide

📏
⌛
‽
-> hard to exploit!
The fastest,
but the most limiting.
FastColl
FastColl
00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
10: 02 AB D9 B9-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 43 9A 1D
30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 D2-3E F4 E0 38
40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
50: A4 09 2D 7B-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE C2 4E 46
70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 D9-18 62 FF 7B
00: 37 75 C1 F1-C4 A7 5A E7-9C E0 DE 7A-5B 10 80 26
10: 02 AB D9 39-C9 6C 5F 02-12 C2 7F DA-CD 0D A3 B0
20: 8C ED FA F3-E1 A3 FD B4-EF 09 E7 FB-B1 C3 99 1D
30: CD 91 C8 45-E6 6E FD 3D-C7 BB 61 52-3E F4 E0 38
40: 49 11 85 69-EB CC 17 9C-93 4F 40 EB-33 02 AD 20
50: A4 09 2D FB-15 FA 20 1D-D1 DB 17 CD-DD 29 59 1E
60: 39 89 9E F6-79 46 9F E6-8B 85 C5 EF-DE 42 4F 46
70: C2 78 75 9D-8B 65 F4 50-EA 21 C5 59-18 62 FF 7B
two blocks
a few seconds
in the middle
(away from start or end)
84

View Slide

What makes exploiting Fastcoll so difficult?
Every collision differences is surrounded by random data:
-> it’s usually impossible to declare
a structure and its length in a single byte.
(such as a variable-length comment).
"Cheating" workaround:
some code (executable, javascript) checks
the difference in the collision block.
85

View Slide

Extra constraint can be added manually
inside FastColl source.
Cf PoCorGTFO 14:11
Thankfully, there is UniColl and its unique powers.
Workaround: bruteforcing
(bruteforcing the collision block output, not the hash value)
99 // change q17 until conditions are met on q18, q
100 unsigned counter = 0;
101 while (counter < (1 << 7))
102 {
103 const uint32 q16 = Q[Qoff + 16];
104 uint32 q17 = ((xrng64() & 0x3ffd7ff7) | (q16&
105 ++counter;
106
107 uint32 q18 = GG(q17, q16, Q[Qoff + 15]) + tt1
108 q18 = RL(q18, 9); q18 += q17;
109 if (0x00020000 != ((q18^q17)&0xa0020000))
110 continue;
111
112 uint32 q19 = GG(q18, q17, q16) + tt19;
113 q19 = RL(q19, 14); q19 += q18;
114 if (0x80000000 != (q19 & 0x80020000))
115 continue;
116
117 uint32 q20 = GG(q19, q18, q17) + tt20;
118 q20 = RL(q20, 20); q20 += q19;
119 if (0x00040000 != ((q20^q19) & 0x80040000))
120 continue;
121
122 block[1] = q17-q16; block[1] = RR(block[1], 5
123 uint32 q2 = block[1] + tt1; q2 = RL(q2, 12);
124 block[5] = tt5 - q2;
125
126 Q[Qoff + 2] = q2;
127 Q[Qoff + 17] = q17;
128 Q[Qoff + 18] = q18;
129 Q[Qoff + 19] = q19;
130 Q[Qoff + 20] = q20;
131 MD5_REVERSE_STEP(2, 0x242070db, 17);
https://github.com/cr-marcstevens/hashclash/blob/master/src/md5fastcoll/block0.cpp#L101
https://github.com/angea/pocorgtfo#0x14
86

View Slide

Instant computation
doesn’t give any
instant exploitation.
-> Instant exploitation relies on
pre-computed collisions and file format tricks.
Recap
87

View Slide

Basics of
f ile formats
(most)
88

View Slide

Typical structure
header : required at the start of the file.
It defines the file type, versions, metadata...
body comes after the header .
It's made of several chunks
that may be moved around.
footer follows the body .
It indicates that the file is complete.
Parsers ignore any following data.
89

View Slide

The “comment” block
Most format accept a comment block of some kind.
It usually can contain anything - not just text.
-> perfect to skip collision blocks or extra data.
They can be inserted several times - they’re just entirely skipped.
-> perfect for padding, collision blocks and extra data.
They are usually length-defined:
-> give them a variable length via collision blocks differences.
90

View Slide

clues
Most files have all body chunks in a perfect and optimal arrangement,
but parsers must be robust against weird structures or incomplete implementations.
-> In practice, they just parse chunks and collect data on the way.
And when a footer [or EOF ] is reached,
they check if they have enough data to render something.
If not the file is considered invalid.
Robust parsers are 'detectives'
Even if most files are perfectly structured,
robust parsers behave more like detectives.
91

View Slide

Die Kunst aufräumen - Ursus Wehrli
A standard file
(allegory)
92
Most f iles are
perfectly structured
They were generated
by one of the standard libraries,
in normal conditions,
and with typical requirements.
Corner cases

View Slide

Abusing 'detective'parsers
A detective looks for specific clues.
Since parsers behave like detectives,
we can move pieces of a file around,
split them, hide them among rubbles.
For most parsers,
the presence/completeness/order
of the files structures may not matter.
93

View Slide

HHHH
HHBB
BBBB
FFF
HHHH
HHCB
CBBB
CCCC
CCCC
BCBF
FF??
??
HHHH
HHCB
BBBB
BFFF
HHHH
HHCC
CCCC
CCBB
BBBB
FFF?
These f iles are equivalent
(from a parser perspective).
Same content, different structure. Turning one into another
is usually (very) easy.
Header
Comment
Body (chunks)
Footer
? Appended data
94

View Slide

Take two f iles…
(of the same file type)
95

View Slide

Plan a special
common header.
Same images dimensions? Color space?
Remove some features.
Flatten content.
etc...
96

View Slide

Compute the collision
for this header.
Padding and randomness with tiny differences.
These differences follow some patterns
that will be abused.
Margin errors have to be mitigated.
97

View Slide

Create a super f ile
combining both f iles’ data.
Both files’ Body and Footer are unmodified.
The header has to be a common ground.
The collision blocks differences will act like
a switch to toggle between each content.
98

View Slide

=
‽
=
Collision
Pref ix
Suffix
It’s an IPC, so
their hash value
is the same.
99

View Slide

It's like a ski slope
with 2 special jump ramps.
Collision
blocks
Landing A
Landing B
100

View Slide

Each colliding f ile
will render as
one of the original pair.
101

View Slide

102
102

View Slide

Now let’s look at
something different.
103

View Slide

Poetry...?
104

View Slide

Now we hash md5,
no enemy cares!
Only we gave
the shards.
...
A cryptico poem
https://github.com/Jurph/word-decrementer
105

View Slide

Now we hath md5,
no enemy dares!
Only we have
the shares.
...
Increment the 10th letter of each sentence.
(leading spaces are tolerated) 106

View Slide

Our second block - another Identical Pref ix Collision: UniColl.
107

View Slide

Run its script on a pref ix
scripts$ ./poc_no.sh prefix
MD5 differential path toolbox
Copyright (C) 2009 Marc Stevens
http://homepages.cwi.nl/~stevens/
delta_m[2] = [!8!]
In-block prefix words: 5
Parsed path:
Q-3:|01100111 01000101 00100011 00000001|
[...]
Found collision!
2b3663b299b72c6b40d13ccd6c905a7d collision1.bin
[...]
scripts$ _
Mission
scripts$ cat prefix
Here is my prefix!!\n
scripts$ du -b prefix
20 prefix
scripts$ _
words of 32 bits
https://github.com/cr-marcstevens/hashclash/releases
https://github.com/cr-marcstevens/hashclash/blob/master/scripts/poc_no.sh
⚠
Use exactly this prefix
for your first try!
108

View Slide

Sometimes, unicoll just... fails! Just re-run it then!
[...]
262144 9
370611 16
524288 19
Block 1: ./data/coll1_4205915269
53 75 43 d7 3b 33 9a fe e7 b7 ed bd ae a8 07 b9
f4 49 fa 94 34 01 54 db be 87 3c 39 af cd a1 82
c4 ea 3a f8 9b 7c ba d3 ac af 3d 47 a1 03 0d 34
7f ff 0c 58 92 bc 2b 8a a4 31 53 ee 2f 9b c1 f2
53 75 43 d7 3b 33 9a fe e7 b8 ed bd ae a8 07 b9
f4 49 fa 94 34 01 54 db be 87 3c 39 af cd a1 82
c4 ea 3a f8 9b 7c ba d3 ac af 3d 47 a1 03 0d 34
7f ff 0c 58 92 bc 2b 8a a4 31 53 ee 2f 9b c1 f2
Found collision!
[...]
t=12: 0% 10 20 30 40 50 60 70 80 90
|----|----|----|----|----|----|----|----|----|-
***********************************************
Best path: totcompl=-1000 tottunnel=0, totcond=104857
Verified: 17780 bad out of 17780
Runtime: 88.9094
MD5 differential path toolbox
Copyright (C) 2009 Marc Stevens
http://homepages.cwi.nl/~stevens/
delta_m[2] = [!8!]
Error: could not load path(s) in 'data/bestpath.bin.g
cat: 'data/coll1_*': No such file or directory
cat: 'data/coll2_*': No such file or directory
738994fa06fb97feec6de48887d6452d collision1.bin
3170e138bd0606df43c72d8051ba6184 collision2.bin
Happy end
Dead ends
[...]
65536 4
126153 8
131072 8
ed 3f f0 88 4c 9a fe 58 f7 68 48 1f 22 28 22 62
20 27 15 9e 1b da cf d4 df b7 7d e3 b4 a1 6c 33
26 2a 58 3e 50 ca c9 3f 84 37 52 65 37 b6 ac fb
9a f9 93 73 49 f9 df b7 48 84 29 c8 cb db 68 dc
ed 3f f0 88 4c 9a fe 58 f7 69 48 1f 22 28 22 62
20 27 15 9e 1b da cf d4 df b7 7d e3 b4 a1 6c 33
26 2a 58 3e 50 ca c9 3f 84 37 52 65 37 b6 ac fb
9a f9 93 73 49 f9 df b7 48 84 29 c8 cb db 68 dc
Found collision!
0b37822e3e06d0e69e2b12d5f742f6d6 collision1.bin
b7c77655f8a1d9b85c4ba7358939c9e4 collision2.bin
109

View Slide

Output of a UniColl computation
Characteristics:
- Two blocks
- A few minutes to compute
Important difference with FastColl:
- prefix as a part of the collision blocks (!!)
-> no padding
- differences:
10th char of prefix += 1 (!!)
10th char of 2nd block -= 1
00: .H .e .r .e . .i .s . .m .z . .p .r .e .f .i
10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
40: 53 75 43 D7 3B 33 9A FE E7 B7 ED BD AE A8 07 B9
50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
60: C4 EA 3A F8 9B 7C BA D3 AC AF 3D 47 A1 03 0D 34
70: 7F FF 0C 58 92 BC 2B 8A A4 31 53 EE 2F 9B C1 F2
00: .H .e .r .e . .i .s . .m .y . .p .r .e .f .i
10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
110

View Slide

A hybrid IPC where:
- you can define the data around the first difference.
- you can set the first difference:
your text and your text +1
No other collision does that.
A true Unicorn of a collision
111

View Slide

Why +1 on the 10th character?
Because crypto
(due to specific MD5 properties)
No, you can't change it as you like.
The other working cases are not
as easy to exploit.
Other working cases:
https://www.cwi.nl/system/files/PhD-Thesis-Marc-Stevens-Attacks-on-Hash-Functions-and-Applications.pdf#page=200
112

View Slide

0000: .U .n .i .C .o .l .l . .2 . .p .r .e .f .i .x
0010: . .2 .0 .b 24 FA 3F 50 2F 7A B1 A7 04 DC 2F 39
0020: 07 E7 6F 33 B4 64 97 DD B1 95 8E F3 CB 60 18 B1
0030: 9F E9 DC B3 D8 03 FC 7C 52 40 8E 36 AF 0C 86 C7
0040: 8C 41 62 73 C9 B9 A7 EB 03 10 68 F0 5B 82 49 EE
0050: B6 77 D5 50 E2 B8 D7 A2 61 16 78 B0 35 24 1B 2F
0060: 5A 83 E2 E0 49 4F B7 0D 7D 7C E7 3F CC B7 F3 72
0070: 8A 55 71 A0 B2 34 6C 0E 45 EE 04 60 ED 33 62 BC
0000: .U .n .i C3 .o .l .l . .2 . .p .r .e .f .i .x
0010: . .2 .0 .b 24 FA 3F 50 2F 7A B1 27 04 DC 2F 39
0020: 07 E7 6F 33 B4 64 97 DD B1 95 8E F3 CB 60 18 B1
0030: 9F E9 DC B3 D8 03 FC 84 52 40 8E 36 AF 0C 86 C7
0040: 8C 41 62 F3 C9 B9 A7 EB 03 10 68 F0 5B 82 49 EE
0050: B6 77 D5 50 E2 B8 D7 A2 61 16 78 30 35 24 1B 2F
0060: 5A 83 E2 E0 49 4F B7 0D 7D 7C E7 3F CC B7 F3 72
0070: 8A 55 71 A0 B2 34 6C 06 45 EE 04 60 ED 33 62 BC
0000: .U .n .i .C .o .l .l . .3 . .p .r .e .f .i .x
0010: . .2 .0 .b EC D2 0C 56 2F 03 F6 66 D1 76 8F 87
0020: FF E4 7B EC F3 31 0A 65 66 B5 BD 6D F5 2B FD 1E
0030: 4D 2D 99 37 0C B6 1B D5 63 94 DC 2E DB 97 F2 10
0040: 22 BA 25 C4 F6 F7 EC C6 D7 0E DB 5D 18 DF 90 F9
0050: 6A C5 2A 0A CC 88 3C 7F 6C AE 24 71 F9 BF 76 17
0060: BE 60 AA DE 6F 0B 11 D0 52 E2 0E 85 BB 0B 8B 76
0070: A1 18 87 03 D2 9D 39 80 79 10 50 3F BC 17 65 01
0000: .U .n .i .C .o .l .l . .3 . .p .r .e .f .i .x
0010: . .2 .0 .b EC D2 0C 56 2F 04 F6 66 D1 76 8F 87
0020: FF E4 7B EC F3 31 0A E5 66 B5 BD 6D F5 2B FD 1E
0030: 4D 2D 99 37 0C B6 1B D5 63 94 DC 2E DB 97 F2 90
0040: 22 BA 25 C4 F6 F7 EC C6 D7 0E DB 5D 18 DF 90 F9
0050: 6A C5 2A 0A CC 88 3C 7F 6C AD 24 71 F9 BF 76 17
0060: BE 60 AA DE 6F 0B 11 50 52 E2 0E 85 BB 0B 8B 76
0070: A1 18 87 03 D2 9D 39 80 79 10 50 3F BC 17 65 81
With N=2:
- less predictable difference
+ 16 f ixed bytes after the f irst difference
With N=3:
Difference on the last byte
Other implemented variants:
cf https://github.com/cr-marcstevens/hashclash/blob/master/scripts/poc_no.sh#L29-L44
N=1: "--diffm2 9" [by default]
N=2: "--diffm13 28 --diffm0 32 --diffm6 32"
N=3: "--diffm6 9 --diffm9 32 --diffm15 32"
113

View Slide

The pref ix can be any size. Only its last block is integrated in the collision.
(remember: no padding)
00: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
30: 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
40: .h .e .r .e . .i .s . .m .y . .p .r .e .f .i
50: .x .! .! 0a .
00: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
30: 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
40: .h .e .r .e . .i .s . .m .y . .p .r .e .f .i
50: .x .! .! 0a a4 8e d8 3f ae 42 a5 6b 47 e1 b4 72
60: 7a 86 27 96 60 3a e6 9a 8a 37 7d 2f 8e ac a6 ad
70: fd 56 ff d8 23 59 1c 81 da 57 1c 84 ee f5 17 07
80: 39 f9 b5 e5 d8 a6 c4 02 89 df e2 c0 82 1e f8 fa
90: 1e c3 c4 3e 77 17 12 98 d6 78 ed 80 dc 4f 83 86
a0: 21 68 77 44 e2 dc 81 c8 69 33 eb 95 3a 60 08 a0
b0: 05 37 f7 cc 0b b1 ee 94 76 0c af da 18 8b c2 57
00: 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
10: 10 11 12 13 14 15 16 17 18 19 1A 1B 1C 1D 1E 1F
20: 20 21 22 23 24 25 26 27 28 29 2A 2B 2C 2D 2E 2F
30: 30 31 32 33 34 35 36 37 38 39 3A 3B 3C 3D 3E 3F
40: .h .e .r .e . .i .s . .m .z . .p .r .e .f .i
50: .x .! .! 0a a4 8e d8 3f ae 42 a5 6b 47 e1 b4 72
60: 7a 86 27 96 60 3a e6 9a 8a 37 7d 2f 8e ac a6 ad
70: fd 56 ff d8 23 59 1c 81 da 57 1c 84 ee f5 17 07
80: 39 f9 b5 e5 d8 a6 c4 02 89 de e2 c0 82 1e f8 fa
90: 1e c3 c4 3e 77 17 12 98 d6 78 ed 80 dc 4f 83 86
a0: 21 68 77 44 e2 dc 81 c8 69 33 eb 95 3a 60 08 a0
b0: 05 37 f7 cc 0b b1 ee 94 76 0c af da 18 8b c2 57
Pref ix
collision blocks
114

View Slide

Length multiple of 4 (otherwise it won't work as intended)
2nd rule of UniColl's last pref ix block
$ md5sum collision*
43a22967d7d6343da5c50da277f63f62 collision1.bin
43a22967d7d6343da5c50da277f63f62 collision2.bin
$ xxd prefix
00000000: 70 p
$ xxd collision1.bin | head -1
00000000: c830 2859 684c dc50 cbba 8f0f 8fa7 48ef .0(YhL.P......H.
$ md5sum collision*
47bc2a72c2885bcc624342fe8d3756fd collision1.bin
478ccf32058daf9d1fa44fd78959ed50 collision2.bin
$ xxd prefix
00000000: 7070 7070 pppp
$ xxd collision1.bin | head -1
00000000: 7070 7070 2c65 975b e9de 9dd9 98dc 7cd4 pppp,e.[......|.
If not,
the collision block doesn't start
with the prefix' content.
If its length is a multiple of 4,
the end of the prefix’s last block
is in the collision block.
115

View Slide

If that part is longer than 20 bytes,
it may never collide.
-> increase delays in the script.
3rd rule of UniColl's last pref ix block
$ diff poc_no.sh long_poc_no.sh
11c11
< data=200000
---
> data=1000000
56c56
< sleep 10
---
> sleep 120
116

View Slide

000: .H .e .r .e . .i .s . .m .y . .l .o .n .g .
010: .p .r .e .f .i .x .! \n 17 ef 03 3a 3b 0b d8 ba
020: 11 0c 27 fe 71 8c ec 39 ab 48 97 fb 81 8e 7a 50
030: 4c 5d 44 73 05 08 f7 ff 16 06 44 db ea 1c 8b 50
040: 70 f4 66 04 c8 23 16 b0 83 99 e5 76 09 92 13 f0
050: 3e 3e d2 bb d9 fb 3e 00 78 64 b4 89 af 98 fb bd
060: aa e1 03 6b 77 61 46 3b 84 d4 25 a7 3b 00 09 1a
070: 23 b9 e2 26 fd 35 6c d0 e4 56 a0 b5 fe 3d 28 47
000: .H .e .r .e . .i .s . .m .z . .l .o .n .g .
010: .p .r .e .f .i .x .! \n 17 ef 03 3a 3b 0b d8 ba
020: 11 0c 27 fe 71 8c ec 39 ab 48 97 fb 81 8e 7a 50
030: 4c 5d 44 73 05 08 f7 ff 16 06 44 db ea 1c 8b 50
040: 70 f4 66 04 c8 23 16 b0 83 98 e5 76 09 92 13 f0
050: 3e 3e d2 bb d9 fb 3e 00 78 64 b4 89 af 98 fb bd
060: aa e1 03 6b 77 61 46 3b 84 d4 25 a7 3b 00 09 1a
070: 23 b9 e2 26 fd 35 6c d0 e4 56 a0 b5 fe 3d 28 47
24 bytes:
real 2m21.203s
user 33m3.508s
sys 0m55.864s
Standard version
Slower version
000: .H .e .r .e . .i .s . .m .y . .l .o .n .g .
010: .p .r .e .f .i .x .! .0 .1 .2 .3 0a a5 4d 0a a2
020: 4a 9e 0e b1 20 bc df 89 bf ed d3 eb bb e2 e9 6f
030: e9 fa 24 39 02 42 4f 8b 77 77 8c 50 0f ff a7 86
040: b4 7a e4 de 00 27 f8 c7 ad ef b1 2d 25 35 f7 9f
050: fa 01 64 3c 06 8a 5b 66 ad 46 fa 5f 11 ea 91 c6
060: d3 70 11 45 57 dd 8a 0f b8 af 4d 0d d2 d2 40 43
070: 48 c0 22 4d 67 b9 b2 5b 0a 98 ff e0 7f d3 7b 6d
000: .H .e .r .e . .i .s . .m .z . .l .o .n .g .
010: .p .r .e .f .i .x .! .0 .1 .2 .3 0a a5 4d 0a a2
020: 4a 9e 0e b1 20 bc df 89 bf ed d3 eb bb e2 e9 6f
030: e9 fa 24 39 02 42 4f 8b 77 77 8c 50 0f ff a7 86
040: b4 7a e4 de 00 27 f8 c7 ad ee b1 2d 25 35 f7 9f
050: fa 01 64 3c 06 8a 5b 66 ad 46 fa 5f 11 ea 91 c6
060: d3 70 11 45 57 dd 8a 0f b8 af 4d 0d d2 d2 40 43
070: 48 c0 22 4d 67 b9 b2 5b 0a 98 ff e0 7f d3 7b 6d
28 bytes:
real 13m21.452s
user 227m35.496s
sys 3m27.896s
117

View Slide

📏
⌛
‽
Slightly slower,
but easy to exploit.
UniColl
UniColl
two blocks
A few minutes
In pref ix
00: .H .e .r .e . .i .s . .m .z . .p .r .e .f .i
10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
00: .H .e .r .e . .i .s . .m .y . .p .r .e .f .i
10: .x .! .! \n 85 33 77 E3 4E 2D B4 F7 33 52 CD 17
20: 63 F0 24 11 8E 42 EE 0D 6D 73 1D 18 FA BA 3F 2D
30: 53 C6 C3 9E 17 F6 86 5F 44 EB 71 C4 24 FB 67 10
50: F4 49 FA 94 34 01 54 DB BE 87 3C 39 AF CD A1 82
118

View Slide

119

View Slide

Your f irst
hash collision exploit
120

View Slide

Prepare
1. Study format specs, look for features that you need.
2. Choose attack: FastColl, UniColl [tree]...
3. Plan your file structure (pen & specs).
Craft
4. Craft mockup files: check compatibility, CRCs…
5. Ignore collision ranges to simulate colliding files.
Compute
6. Extract prefixes from mockups.
7. Run computation(s).
Plan your exploit
⇤ ⇥
…‽…
…🛑?
A mockup f ile
before computation 121
Padding, for alignments
Collision blocks’ randomness needs to be ignored
Differences need to be taken into account
Two contents need to co-exist.

View Slide

What makes exploiting UniColl so easy?
The first difference is surrounded by chosen text:
no restrictions to declare a length before or after a type.
The difference is +1, which makes it trivial to plan the impact.
I.E. one chunk will be exactly 0x100 longer than the other,
which is bigger than the collision block
but doesn’t grow uncontrollably.
FastColl:
UniColl:
61 52 3E ⇔ 61 D2 3E
00 71 .c .O .L .L ⇔
01 71 .c .O .L .L
122

View Slide

1. A fixed-length comment for padding.
2. A variable length comment at the start of collision blocks.
3. Using collision blocks to grow this comment over a first file’s data,
followed by a second’s file data.
Layout of a classic collision+format exploitation
Collision
Alignment
Suffix
Pref ix
123
Signature Padding Collision Chunk
A
Chunk
B
Comment
Comment

View Slide

Case A (short comment)
Case B (long comment)
124

View Slide

Plan your generic exploit
Getting an exploit PoC (pair) is great to convince/test!
Making a script to instantly generate any PoC is even better!
Explore the format landscape, standard implementations.
Understand compatibility in depth.
125

View Slide

Making it generic
The size of {Chunk
A
} is unknown in advance.
-> one extra comment to jump over these chunks
with its declaration toggled by the variable comment
Collision
Alignment
Suf f ix
Pref ix
126

View Slide

Short collision comment
Long collision comment
A chain of three comments
Collision
Collision
‽
= =
127

View Slide

Generic exploitation is sometimes hard.
Identify required structures of the format.
Check structure sizes: constant? if not, what are the margins?
Explore tools and options:
Merging (PDF pages, GIF frames) then selectively hiding
is a quick way to normalize 2 contents.
Some minor tools’ output might be optimal for manipulation.
128

View Slide

Exploiting PNG
with UniColl
129

View Slide

The most regular of the common formats:
a signature then a sequence of chunks.
The Portable Network Graphics format
/ˌpiːɛnˈdʒiː/ PEE-en-JEE
/pɪŋ/ PING
Signature Chunk
130

View Slide

The PNG signature
- enforced at offet 0
- fixed, always the same 8 bytes:
89 50 4E 47 0D 0A 1A 0A
(Trivia) it's made of special characters to detect various errors:
\x89 P N G \r \n ^Z \n
End Of File
non ASCII
Line feed
Line feed
Carriage return
131

View Slide

The PNG format at chunk level
- the length , big endian on 4 bytes.
- the type , on 4 letters.
- the data , of the given length .
- the CRC of type and data .
- they are usually ignored
132

View Slide

Lower case-typed chunks are ignored
first letter:
- uppercase == critical:
Standard: IHDR Header / PLTE Palette / IDAT Data /IEND end
Non-standard: CgBI Apple custom PNG
- lowercase == secondary:
In the specs:
ignored if not in the specs: aLIG / cOLL / sKIP
http://www.libpng.org/pub/png/spec/1.2/PNG-Structure.html#Chunk-naming-conventions
bKGD cHRM gAMA hIST iCCP pHYs tIME
tRNS sBIT sPLT sRGB tEXt iTXt zTXt
133

View Slide

134
00000430: 8C F5 51 C6-58 1F 65 8C-F5 51 C6 58-1F 65 8C F5 î⌡Q╞X eî⌡Q╞X eî⌡
00000440: 51 C6 58 1F-65 8C F5 51-C6 58 1F 65-8C D5 51 C6 Q╞X eî⌡Q╞X eî╒Q╞
00000450: 58 13 65 8C-05 51 C6 58-10 65 8C F5-51 C6 58 1F X eî Q╞X eî⌡Q╞X
00000460: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
00000470: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
00000480: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
00000490: 1F 65 8C F5-51 C6 58 1F-65 8C E5 51-76 CE 18 65 eî⌡Q╞X eîσQv╬ e
000004A0: 7D 8C 51 F6-D3 62 8C 32-C6 28 13 63-94 31 46 19 }îQ÷╙bî2╞( cö1F
000004B0: 63 94 89 31-CA 18 A3 EC-3B C7 18 65-8C 51 26 C6 cöë1╩ ú∞;╟ eîQ&╞
000004C0: 28 63 8C 32-C6 28 13 63-94 31 46 D9-F7 8E 31 CA (cî2╞( cö1F┘≈Ä1╩
000004D0: 18 A3 4C 8C-51 C6 18 65-8C 51 26 C6-28 63 8C 32 úLîQ╞ eîQ&╞(cî2
000004E0: 31 46 19 63-94 31 46 99-18 A3 8C 31-CA 18 A3 4C 1F cö1FÖ úî1╩ úL
000004F0: 8C 51 C6 18-65 62 8C 32-C6 28 63 8C-32 31 46 19 îQ╞ ebî2╞(cî21F
00000500: 63 94 31 46-99 18 A3 8C-31 CA C4 18-65 8C 51 C6 cö1FÖ úî1╩─ eîQ╞
00000510: 18 65 62 8C-32 C6 28 63-8C 32 31 46-19 63 94 89 ebî2╞(cî21F cöë
00000520: 31 CA 18 A3-8C 31 CA C4-18 65 8C 51-C6 98 28 63 1╩ úî1╩─ eîQ╞ÿ(c
00000530: 8C 32 C6 28-13 63 94 31-46 19 63 94-89 31 CA 18 î2╞( cö1F cöë1╩
00000540: A3 8C 31 51-C6 18 65 8C-51 C6 98 28-63 8C 32 C6 úî1Q╞ eîQ╞ÿ(cî2╞
00000550: 28 13 63 94-31 46 19 63-A2 8C 31 CA-18 A3 8C 31 ( cö1F cóî1╩ úî1
00000560: 51 C6 18 65-8C 89 32 C6-28 63 8C 32-C6 44 19 63 Q╞ eîë2╞(cî2╞D c
00000570: 94 31 46 19-63 A2 8C 31-CA 18 13 65-8C 51 C6 18 ö1F cóî1╩ eîQ╞
00000580: 65 8C 89 32-C6 28 63 8C-32 C6 44 19-63 94 31 26 eîë2╞(cî2╞D cö1&
00000590: CA 18 A3 8C-31 CA 18 13-65 8C 51 C6-18 65 8C 89 ╩ úî1╩ eîQ╞ eîë
000005A0: 32 C6 28 63-4C 94 31 46-19 63 94 31-26 CA 18 A3 2╞(cLö1F cö1&╩ ú
000005B0: 8C 31 BD 54-19 63 A2 8C-31 CA 18 D3-C5 E5 2F 34 î1╜T cóî1╩ ╙┼σ/4
000005C0: 76 FE EF FB-24 3B 99 18-A3 8C 31 CA-E4 9F 4C 8C v■∩√$;Ö úî1╩ΣƒLî
000005D0: 51 C6 18 65-62 8C 32 C6-28 63 8C 32-31 46 19 63 Q╞ ebî2╞(cî21F c
000005E0: 94 89 31 CA-18 A3 8C 31-CA C4 18 65-8C 51 C6 18 öë1╩ úî1╩─ eîQ╞
000005F0: 65 62 8C 32-C6 28 13 63-94 31 46 19-63 94 89 31 ebî2╞( cö1F cöë1
00000600: CA 18 A3 8C-31 CA C4 18-65 8C 51 26-C6 28 63 8C ╩ úî1╩─ eîQ&╞(cî
00000610: 32 C6 28 13-63 94 31 46-19 63 94 89-31 CA 18 A3 2╞( cö1F cöë1╩ ú
00000620: 4C 8C 51 C6-18 65 8C 51-26 C6 28 63-8C 32 C6 44 LîQ╞ eîQ&╞(cî2╞D
00000630: 19 63 94 31-46 99 18 A3-8C 31 CA 18-A3 4C 8C 51 cö1FÖ úî1╩ úLîQ
00000640: C6 18 65 8C-89 32 C6 28-63 8C 32 C6-44 19 63 94 ╞ eîë2╞(cî2╞D cö
00000650: 31 46 99 18-A3 8C 31 CA-18 13 65 8C-51 C6 18 65 1FÖ úî1╩ eîQ╞ e
00000660: 8C 89 32 C6-28 63 4C 94-31 46 19 63-94 31 26 CA îë2╞(cLö1F cö1&╩
00000670: 18 A3 8C 31-CA 18 13 65-8C 51 C6 98-28 63 8C 32 úî1╩ eîQ╞ÿ(cî2
00000680: C6 28 63 4C-94 31 46 19-63 94 31 26-CA 18 A3 8C ╞(cLö1F cö1&╩ úî
00000690: 31 51 C6 18-65 8C 51 C6-98 28 63 8C-32 C6 28 63 1Q╞ eîQ╞ÿ(cî2╞(c
000006A0: 4C 94 31 46-19 63 A2 8C-31 CA 18 A3-8C 31 51 C6 Lö1F cóî1╩ úî1Q╞
000006B0: 18 65 DF D4-98 28 63 8C-32 C6 44 19-63 94 31 46 e▀╘ÿ(cî2╞D cö1F
000006C0: 19 63 A2 8C-31 CA BE BF-31 51 C6 18-65 8C 89 32 cóî1╩╛┐1Q╞ eîë2
000006D0: C6 28 63 8C-32 C6 44 19-63 94 31 A6-1F A7 8C B1 ╞(cî2╞D cö1ª ºî▒
000006E0: 73 CA 18 8B-3B 38 3C A0-8C B1 7A 1A-94 D5 31 46 s╩ ï;8<áî▒z ö╒1F
000006F0: 59 1F 63 94-F5 31 46 59-1F 63 94 F5-31 46 59 1F Y cö⌡1FY cö⌡1FY
00000700: 63 94 F5 31-46 59 1F 63-94 F5 31 46-59 1F 63 94 cö⌡1FY cö⌡1FY cö
00000710: F5 31 46 59-1F 63 94 F5-31 46 59 1F-63 94 F5 31 ⌡1FY cö⌡1FY cö⌡1
00000720: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
00000730: 1F 63 94 F5-31 46 59 1F-63 94 D5 31-46 59 1D 63 cö⌡1FY cö╒1FY c
00000740: 94 D5 31 46-59 1D 63 94-D5 31 46 59-1D 63 94 D5 ö╒1FY cö╒1FY cö╒
00000750: 31 46 59 1D-63 94 D5 31-46 59 1D 63-94 D5 31 46 1FY cö╒1FY cö╒1F
00000760: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
00000770: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
00000780: D5 31 46 59-6E 8C 31 CA-62 65 8C DD-45 D9 EB 63 ╒1FYnî1╩beî▌E┘δc
00000790: 2C 8C 32 C6-6A 63 94 DD-C5 58 1C 65-8C F5 51 C6 ,î2╞jcö▌┼X eî⌡Q╞
000007A0: 58 1F 65 8C-F5 51 C6 58-1F 65 8C F5-51 C6 58 1F X eî⌡Q╞X eî⌡Q╞X
000007B0: 65 8C F5 51-C6 58 1F 65-8C F5 51 C6-58 1F 65 8C eî⌡Q╞X eî⌡Q╞X eî
000007C0: F5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ⌡Q╞X eî⌡Q╞X eî⌡Q
000007D0: C6 58 1F 65-8C F5 51 C6-58 1F 65 8C-F5 51 C6 58 ╞X eî⌡Q╞X eî⌡Q╞X
000007E0: 1F 65 8C F5-51 C6 58 1D-65 8C D5 51-C6 58 1D 65 eî⌡Q╞X eî╒Q╞X e
000007F0: 8C D5 51 C6-58 1D 65 8C-D5 51 C6 58-1D 65 8C D5 î╒Q╞X eî╒Q╞X eî╒
00000800: 51 C6 58 1D-65 8C D5 51-C6 58 1D 65-8C D5 51 C6 Q╞X eî╒Q╞X eî╒Q╞
00000810: 58 1D 65 8C-D5 51 C6 58-1D 65 8C D5-51 C6 58 1D X eî╒Q╞X eî╒Q╞X
00000820: 65 8C D5 51-C6 58 1D 65-8C D5 51 C6-58 1E 65 A7 eî╒Q╞X eî╒Q╞X eº
00000830: 8C D5 51 F6-9F 31 CA D2-4E AE B9 A5-83 01 00 00 î╒Q÷ƒ1╩╥N«╣Ñâ
00000840: 00 06 42 F3-A7 DE F3 1C-8A A1 01 CB-A0 63 2D A3 B≤º▐≤ èí ╦ác-ú
00000850: 8E B5 0C 3D-06 2C 03 8E-B5 4C 39 C6-2D 03 8E B5 Ä╡ = , Ä╡L9╞- Ä╡
00000860: CC 3C 06 2C-03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C ╠< , Ä╡╠< , Ä╡╠<
00000870: 06 2C 03 8E-B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C , Ä╡╠< , Ä╡╠< ,
00000880: 03 8E B5 CC-3C 06 2C 03-8E B5 CC 3C-06 2C 03 8E Ä╡╠< , Ä╡╠< , Ä
00000890: B5 CC 3C 06-2C 03 8E B5-CC 3C 06 2C-03 8E B5 4C ╡╠< , Ä╡╠< , Ä╡L
000008A0: 3A 06 2C 03-8E 01 CB C4-63 2D 03 8E-01 CB C4 63 : , Ä ╦─c- Ä ╦─c
000008B0: 2D 03 8E 01-CB C4 63 2D-03 8E 01 CB-A4 63 C0 B2 - Ä ╦─c- Ä ╦ñc└▓
000008C0: 8E 41 CB A4-63 C0 B2 8E-41 CB A4 63-C0 B2 8E 41 ÄA╦ñc└▓ÄA╦ñc└▓ÄA
000008D0: CB A4 63 C0-B2 8E BD 5D-3A B4 61 20-08 A2 28 B6 ╦ñc└▓Ä╜]:┤a ó(╢
000008E0: 20 FD D7 1C-38 FC 23 EB-F4 5C 83 F7-65 1D 6B D9 ²╫ 8ⁿ#δ⌠\â≈e k┘
000008F0: 7E 6C 5B D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l[╓▒ûφ╟nY╟Z╢ █ù
00000900: 75 AC 65 FB-B1 7D 59 C7-5A 76 C7 F6-65 1D 6B D9 u¼e√▒}Y╟Zv╟÷e k┘
00000910: 7E 6C 5F D6-B1 96 ED C7-6E 59 C7 5A-B6 1F DB 97 ~l_╓▒ûφ╟nY╟Z╢ █ù
00000920: 75 AC 65 DB-B1 61 59 C7-5A 36 1C 1B-96 75 AC 65 u¼e█▒aY╟Z6 ûu¼e
00000930: FB B1 5B D6-B1 96 0D C7-86 65 1D 6B-D9 70 6C 58 √▒[╓▒û ╟åe k┘plX
00000940: D6 B1 96 0D-C7 86 65 1D-6B D9 70 6C-58 D6 B1 96 ╓▒û ╟åe k┘plX╓▒û
00000950: DD 31 60 19-70 AC 65 F2-B1 5B D6 B1-96 0D C7 86 ▌1` p¼e≥▒[╓▒û ╟å
00000960: 65 1D 6B D9-70 6C 58 D6-B1 96 DD 31-60 19 72 AC e k┘plX╓▒û▌1` r¼
00000970: 65 FE B1 5B-D6 B1 96 DD-31 60 19 74-AC 65 FE B1 e■▒[╓▒û▌1` t¼e■▒
00000980: 5B D6 B1 96-DD 31 60 19-75 AC 65 FE-B1 5B D6 B1 [╓▒û▌1` u¼e■▒[╓▒
00000990: 96 DD 31 60-19 75 AC 65-FE B1 5B 46-1D 6B 99 75 û▌1` u¼e■▒[F kÖu
000009A0: CC 5F E6 1F-6B D9 1D F3-97 F9 C7 5A-36 1C F3 97 ╠_µ k┘ ≤ù∙╟Z6 ≤ù
000009B0: F9 C7 5A 76-C7 FC 65 FE-B1 96 0D C7-FC 65 FE B1 ∙╟Zv╟ⁿe■▒û ╟ⁿe■▒
000009C0: 96 FD DE 03-96 F1 C7 5A-E6 1F BB 65-D4 B1 96 01 û²▐ û±╟Zµ ╗e╘▒û
000009D0: C7 DC 65 FE-B1 96 DD 31-65 99 7F AC-65 FE B1 5B ╟▄e■▒û▌1eÖ¼e■▒[
000009E0: 46 1D 6B 19-70 4C 5C E6-1F 6B D9 1D-B3 96 F9 C7 F k pL\µ k┘ │û∙╟
000009F0: 5A E6 1F BB-65 D4 B1 96-01 C7 C8 65-FE B1 96 DD Zµ ╗e╘▒û ╟╚e■▒û▌
00000A00: 31 6A 99 7F-AC 65 FE B1-5B 46 1D 6B-19 70 4C 59 1jÖ¼e■▒[F k pLY
00000A10: E6 1F 6B D9-1D 73 97 F9-C7 5A E6 1F-BB 65 D4 B1 µ k┘ sù∙╟Zµ ╗e╘▒
00000A20: 96 01 C7 80-65 FC B1 96-DD 31 77 99-7F AC 65 FB û ╟Çeⁿ▒û▌1wÖ¼e√
00000A30: 31 7F 99 7F-AC 65 77 4C-5F E6 1F 6B-D9 7E CC 5F 1Ö¼ewL_µ k┘~╠_
00000A40: E6 1F 6B D9-1D F3 97 F9-C7 5A E6 1F-BB 65 F6 B1 µ k┘ ≤ù∙╟Zµ ╗e÷▒
00000A50: 96 ED C7 FC-65 FE B1 96-F9 C7 6E 99-7D AC 65 FB ûφ╟ⁿe■▒û∙╟nÖ}¼e√
00000A60: 31 7F 99 7F-AC 65 FE B1-5B 66 1F 6B-D9 7E CC 5F 1Ö¼e■▒[f k┘~╠_
00000A70: E6 1F 6B 99-7F EC 96 D9-C7 5A B6 1F-F3 97 F9 C7 µ kÖ∞û┘╟Z╢ ≤ù∙╟
00000A80: 5A E6 1F BB-65 F6 B1 96-ED C7 FC 65-FE B1 96 F9 Zµ ╗e÷▒ûφ╟ⁿe■▒û∙
00000A90: C7 6E 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F ╟n u¼e╙1 u¼e╙1
00000AA0: 19 75 AC 65-D3 31 7F 19-75 AC 65 D3-31 7F 19 75 u¼e╙1 u¼e╙1 u
00000AB0: AC 65 D3 31-7F 19 75 AC-65 D3 31 7F-19 75 AC 65 ¼e╙1 u¼e╙1 u¼e
00000AC0: D3 31 7F 19-75 AC 65 D3-31 7F 19 75-AC 65 D3 31 ╙1 u¼e╙1 u¼e╙1
00000AD0: 7F 19 75 AC-65 D3 31 7F-19 75 AC 65-D3 31 7F 19 u¼e╙1 u¼e╙1
00000AE0: 75 AC 65 D3-31 7F 19 75-AC 65 D3 31-7F 19 75 AC u¼e╙1 u¼e╙1 u¼
00000AF0: 65 D3 31 7F-19 75 AC 65-D3 31 7F 19-75 AC 65 D3 e╙1 u¼e╙1 u¼e╙
00000B00: 31 7F 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F 1 u¼e╙1 u¼e╙1
00000B10: 19 75 AC 65-FC B1 7D 59-C7 A8 65 FB-31 78 59 C7 u¼eⁿ▒}Y╟¿e√1xY╟
00000B20: A8 65 FB 31-78 59 C7 A8-65 5F 3A 96-FC 01 2A EE ¿e√1xY╟¿e_:ûⁿ *ε
00000B30: B0 6C 0B 6E-B3 BA 00 00-00 00 49 45-4E 44 AE 42 ░l n│║ IEND«B
00000B40: 60 82 - - - `é
00000000: 89 50 4E 47-0D 0A 1A 0A-00 00 00 0D-49 48 44 52 ëPNG IHDR
00000010: 00 00 02 64-00 00 02 64-08 03 00 00-00 88 CF CD d d ê╧═
00000020: 8E 00 00 00-24 50 4C 54-45 FF FF FF-FF 7D 7D FF Ä $PLTE }}
00000030: 6F 6F FF FE-FE FF 7E 7E-FF 00 00 FF-80 80 FF 6D oo ■■ ~~ ÇÇ m
00000040: 6D FF 6E 6E-FF 30 30 FF-FD FD FF 2F-2F A6 F0 78 m nn 00 ²² //ª≡x
00000050: 4E 00 00 0A-D9 49 44 41-54 78 DA EC-D2 D1 09 5A N ┘IDATx┌∞╥╤ Z
00000060: 01 14 86 31-B5 DE EE 3F-72 1F CF 00-3F 94 20 5F å1╡▐ε?r ╧ ?ö _
00000070: 66 C8 EB BF-79 7F 5E 8C-FC F9 7C 5F-BF E7 FD 3C f╚δ┐y^îⁿ∙|_┐τ²<
00000080: 2D 83 8E 3D-CF F7 17 8F-B5 8C 3A E6-2E 1B 8E 51 -âÄ=╧≈ Å╡î:µ. ÄQ
00000090: CB 3A 36 2C-73 8F 51 CB-3A 36 2C 73-8F 51 CB 3A ╦:6,sÅQ╦:6,sÅQ╦:
000000A0: 36 2C 73 8F-51 CB 3A 36-2C 73 8F 51-CB 3A 36 2C 6,sÅQ╦:6,sÅQ╦:6,
000000B0: 73 8F 51 CB-3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E sÅQ╦:µ. ÄQ╦:µ. Ä
000000C0: 51 CB 3A E6-2E 1B 8E 51-CB 3A E6 2E-1B 8E 51 CB Q╦:µ. ÄQ╦:µ. ÄQ╦
000000D0: 3A E6 2E 1B-8E 51 CB 3A-E6 2E 1B 8E-51 CB 3A E6 :µ. ÄQ╦:µ. ÄQ╦:µ
000000E0: 2E 1B 8E 51-CB 3A E6 2E-1B 8E 59 CB-3A E6 2F 1B . ÄQ╦:µ. ÄY╦:µ/
000000F0: 8E F9 CB 3A-26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5 Ä∙╦:&/ Ä╡î:&/ Ä╡
00000100: 8C 3A 26 2F-1B 8E B5 8C-3A 26 2F 1B-8E B5 8C 3A î:&/ Ä╡î:&/ Ä╡î:
00000110: 26 2F 1B 8E-B5 8C 3A 26-2F 1B 8E B5-8C 3A E6 2F &/ Ä╡î:&/ Ä╡î:µ/
00000120: BB 63 2D F3-8F F9 CB F6-63 2D 33 8F-F9 CB EE 58 ╗c-≤Å∙╦÷c-3Å∙╦εX
00000130: CB FC 63 FE-B2 FD 58 CB-CC 63 B7 CC-3F D6 32 FF ╦ⁿc■▓²X╦╠c╖╠?╓2
00000140: 98 BF 6C 3F-D6 32 F3 D8-2D F3 8F B5-CC 3F E6 2F ÿ┐l?╓2≤╪-≤Å╡╠?µ/
00000150: DB 8F B5 CC-3C 76 CB FC-63 2D F3 8F-F9 CB F6 63 █Å╡╠00000160: 2D 33 8F DD-32 FF 58 CB-FC 63 FE B2-3B D6 32 FC -3Å▌2 X╦ⁿc■▓;╓2ⁿ
00000170: 18 B0 0C 38-D6 32 EA D8-2D F3 8F B5-0C 3E E6 2F ░ 8╓2Ω╪-≤Å╡ >µ/
00000180: BB 63 D4 B2-8E 01 CB 80-63 F8 B2 8E-DD 32 F9 98 ╗c╘▓Ä ╦Çc°▓Ä▌2∙ÿ
00000190: BF AC 63 FE-B2 3B 46 2D-EB 18 B0 CC-38 E6 2F EB ┐¼c■▓;F-δ ░╠8µ/δ
000001A0: D8 2D 33 8F-F9 CB 3A E6-2F BB 63 D4-B2 8E 01 CB ╪-3Å∙╦:µ/╗c╘▓Ä ╦
000001B0: A4 63 FE B2-8E DD 32 ED-98 BF AC 63-FE B2 3B 46 ñc■▓Ä▌2φÿ┐¼c■▓;F
000001C0: 2D EB 18 B0-CC 3B E6 2F-EB D8 2D 73-8E F9 CB 3A -δ ░╠;µ/δ╪-sÄ∙╦:
000001D0: E6 2F BB 63-D4 B2 8E 01-CB D4 63 FE-B2 8E DD 32 µ/╗c╘▓Ä ╦╘c■▓Ä▌2
000001E0: F9 98 BF AC-63 C3 32 FF-98 BF AC 63-E7 2F 70 0C ∙ÿ┐¼c├2 ÿ┐¼cτ/p
000001F0: 5F D6 31 7F-D9 1D A3 96-75 0C 58 E6-1F F3 97 75 _╓1┘ úûu Xµ ≤ùu
00000200: EC 96 01 C7-D8 65 1D F3-97 DD 31 6A-59 C7 98 65 ∞û ╟╪e ≤ù▌1jY╟ÿe
00000210: FE 31 7F 59-C7 6E 19 70-0C 5C D6 31-7F D9 1D 6B ■1Y╟n p \╓1┘ k
00000220: 59 C7 6E 19-70 8C 59 D6-31 7F D9 1D-6B 59 C7 6E Y╟n pîY╓1┘ kY╟n
00000230: 19 70 0C 5A-D6 31 7F D9-1D 6B 59 C7-6E 19 70 8C p Z╓1┘ kY╟n pî
00000240: 5A D6 31 7F-D9 1D 6B 59-C7 6E 19 70-CC 59 D6 31 Z╓1┘ kY╟n p╠Y╓1
00000250: 7F D9 1D 6B-59 C7 C6 65-FE B1 96 DD-31 7F D9 7E ┘ kY╟╞e■▒û▌1┘~
00000260: AC 65 1D DB-97 DD B1 96-75 6C 5B 36-1C 6B 59 C7 ¼e █ù▌▒ûul[6 kY╟
00000270: F6 65 77 AC-65 1D 9B 96-0D C7 5A D6-B1 5B B6 1F ÷ew¼e ¢û ╟Z╓▒[╢
00000280: 6B 59 C7 A6-65 C3 B1 96-75 EC 96 4D-C7 5A D6 B1 kY╟ªe├▒ûu∞ûM╟Z╓▒
00000290: 61 D9 70 AC-65 1D BB 65-D3 B1 96 75-6C 5F B6 1F a┘p¼e ╗e╙▒ûul_╢
000002A0: FB C7 8E 5D-1D 84 01 45-51 10 4C 70-E9 BF 5E 1C √╟Ä] ä EQ LpΘ┐^
000002B0: CE 27 BA E8-6C 0B 77 9E-52 C6 D8 94-35 C6 28 63 ╬'║Φl w₧R╞╪ö5╞(c
000002C0: 6C CA 02 63-94 31 36 65-B1 31 CA 18-9B B2 CA 18 l╩ cö16e▒1╩ ¢▓╩
000002D0: 65 8C 4D 59-65 8C 32 C6-A6 AC 32 46-19 63 53 56 eîMYeî2╞ª¼2F cSV
000002E0: 19 A3 8C B1-29 AB 8C 51-C6 D8 94 55-C6 28 63 6C úî▒)½îQ╞╪öU╞(cl
000002F0: CA 2A 63 94-31 36 65 95-31 CA 18 9B-B2 CA 18 65 ╩*cö16eò1╩ ¢▓╩ e
00000300: 8C 4D 59 65-8C 32 C6 A6-AC 32 46 19-63 53 56 19 îMYeî2╞ª¼2F cSV
00000310: A3 8C B1 29-AB 8C 51 C6-D8 94 55 C6-28 63 6C CA úî▒)½îQ╞╪öU╞(cl╩
00000320: 2A 63 94 31-36 65 33 46-19 63 A5 B2-19 A3 8C B1 *cö16e3F cÑ▓ úî▒
00000330: 46 59 63 8C-32 C6 A6 AC-31 46 19 63-53 16 18 A3 FYcî2╞ª¼1F cS ú
00000340: 8C B1 29 8B-8D 51 C6 D8-9D B2 D3 63-CA 18 8B A7 î▒)ïìQ╞╪¥▓╙c╩ ïº
00000350: 71 78 46 59-1B 63 94 F5-31 46 59 1F-63 94 F5 31 qxFY cö⌡1FY cö⌡1
00000360: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
00000370: 1F 63 94 F5-31 46 59 1F-63 94 F5 31-46 59 1F 63 cö⌡1FY cö⌡1FY c
00000380: 94 F5 31 46-59 1F 63 94-F5 31 46 59-1F 63 94 F5 ö⌡1FY cö⌡1FY cö⌡
00000390: 31 46 59 1F-63 94 F5 31-46 59 1F 63-94 F5 31 46 1FY cö⌡1FY cö⌡1F
000003A0: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
000003B0: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
000003C0: D5 31 46 59-1D 63 94 D5-31 46 59 1D-63 94 D5 31 ╒1FY cö╒1FY cö╒1
000003D0: 46 59 1D 63-94 D5 31 46-59 1D 63 94-D5 31 46 59 FY cö╒1FY cö╒1FY
000003E0: 1D 63 94 C5-31 46 59 6F-8C 31 CA D2-18 EB 95 51 cö┼1FYoî1╩╥ δòQ
000003F0: C6 D8 5D 94-85 31 F6 DA-28 EB 8D 31-46 D9 5D 8C ╞╪]öà1÷┌(δì1F┘]î
00000400: C5 51 C6 58-1F 65 8C F5-51 C6 58 1F-65 8C F5 51 ┼Q╞X eî⌡Q╞X eî⌡Q
00000420: 1F 65 8C F5-51 C6 58 1F-65 8C F5 51-C6 58 1F 65 eî⌡Q╞X eî⌡Q╞X e
Let's walk through a simple PNG f ile...
no.png

View Slide

000004A0: 7D 8C 51 F6-D3 62 8C 32-C6 28 13 63-94 31 46 19 }îQ÷╙bî2╞( cö1F
000004C0: 28 63 8C 32-C6 28 13 63-94 31 46 D9-F7 8E 31 CA (cî2╞( cö1F┘≈Ä1╩
000004F0: 8C 51 C6 18-65 62 8C 32-C6 28 63 8C-32 31 46 19 îQ╞ ebî2╞(cî21F
00000510: 18 65 62 8C-32 C6 28 63-8C 32 31 46-19 63 94 89 ebî2╞(cî21F cöë
00000530: 8C 32 C6 28-13 63 94 31-46 19 63 94-89 31 CA 18 î2╞( cö1F cöë1╩
00000550: 28 13 63 94-31 46 19 63-A2 8C 31 CA-18 A3 8C 31 ( cö1F cóî1╩ úî1
00000560: 51 C6 18 65-8C 89 32 C6-28 63 8C 32-C6 44 19 63 Q╞ eîë2╞(cî2╞D c
00000570: 94 31 46 19-63 A2 8C 31-CA 18 13 65-8C 51 C6 18 ö1F cóî1╩ eîQ╞
00000580: 65 8C 89 32-C6 28 63 8C-32 C6 44 19-63 94 31 26 eîë2╞(cî2╞D cö1&
000005A0: 32 C6 28 63-4C 94 31 46-19 63 94 31-26 CA 18 A3 2╞(cLö1F cö1&╩ ú
000005D0: 51 C6 18 65-62 8C 32 C6-28 63 8C 32-31 46 19 63 Q╞ ebî2╞(cî21F c
000005F0: 65 62 8C 32-C6 28 13 63-94 31 46 19-63 94 89 31 ebî2╞( cö1F cöë1
00000610: 32 C6 28 13-63 94 31 46-19 63 94 89-31 CA 18 A3 2╞( cö1F cöë1╩ ú
00000640: C6 18 65 8C-89 32 C6 28-63 8C 32 C6-44 19 63 94 ╞ eîë2╞(cî2╞D cö
00000650: 31 46 99 18-A3 8C 31 CA-18 13 65 8C-51 C6 18 65 1FÖ úî1╩ eîQ╞ e
00000660: 8C 89 32 C6-28 63 4C 94-31 46 19 63-94 31 26 CA îë2╞(cLö1F cö1&╩
00000680: C6 28 63 4C-94 31 46 19-63 94 31 26-CA 18 A3 8C ╞(cLö1F cö1&╩ úî
00000690: 31 51 C6 18-65 8C 51 C6-98 28 63 8C-32 C6 28 63 1Q╞ eîQ╞ÿ(cî2╞(c
000006B0: 18 65 DF D4-98 28 63 8C-32 C6 44 19-63 94 31 46 e▀╘ÿ(cî2╞D cö1F
00000700: 63 94 F5 31-46 59 1F 63-94 F5 31 46-59 1F 63 94 cö⌡1FY cö⌡1FY cö
00000710: F5 31 46 59-1F 63 94 F5-31 46 59 1F-63 94 F5 31 ⌡1FY cö⌡1FY cö⌡1
00000720: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
00000730: 1F 63 94 F5-31 46 59 1F-63 94 D5 31-46 59 1D 63 cö⌡1FY cö╒1FY c
00000740: 94 D5 31 46-59 1D 63 94-D5 31 46 59-1D 63 94 D5 ö╒1FY cö╒1FY cö╒
00000750: 31 46 59 1D-63 94 D5 31-46 59 1D 63-94 D5 31 46 1FY cö╒1FY cö╒1F
00000760: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
00000770: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
00000B00: 31 7F 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F 1 u¼e╙1 u¼e╙1
00000B40: 60 82 - - - `é
00000000: 89 50 4E 47-0D 0A 1A 0A-00 00 00 0D-49 48 44 52 ëPNG IHDR
00000010: 00 00 02 64-00 00 02 64-08 03 00 00-00 88 CF CD d d ê╧═
00000320: 2A 63 94 31-36 65 33 46-19 63 A5 B2-19 A3 8C B1 *cö16e3F cÑ▓ úî▒
00000350: 71 78 46 59-1B 63 94 F5-31 46 59 1F-63 94 F5 31 qxFY cö⌡1FY cö⌡1
00000360: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
00000370: 1F 63 94 F5-31 46 59 1F-63 94 F5 31-46 59 1F 63 cö⌡1FY cö⌡1FY c
00000380: 94 F5 31 46-59 1F 63 94-F5 31 46 59-1F 63 94 F5 ö⌡1FY cö⌡1FY cö⌡
00000390: 31 46 59 1F-63 94 F5 31-46 59 1F 63-94 F5 31 46 1FY cö⌡1FY cö⌡1F
000003C0: D5 31 46 59-1D 63 94 D5-31 46 59 1D-63 94 D5 31 ╒1FY cö╒1FY cö╒1
Reminder
A PNG f ile is a signature ,
then a sequence of Chunks:
starts with a length
then a type ,
and ends with a CRC .
no.png
135

View Slide

136
000004A0: 7D 8C 51 F6-D3 62 8C 32-C6 28 13 63-94 31 46 19 }îQ÷╙bî2╞( cö1F
000004C0: 28 63 8C 32-C6 28 13 63-94 31 46 D9-F7 8E 31 CA (cî2╞( cö1F┘≈Ä1╩
000004F0: 8C 51 C6 18-65 62 8C 32-C6 28 63 8C-32 31 46 19 îQ╞ ebî2╞(cî21F
00000510: 18 65 62 8C-32 C6 28 63-8C 32 31 46-19 63 94 89 ebî2╞(cî21F cöë
00000530: 8C 32 C6 28-13 63 94 31-46 19 63 94-89 31 CA 18 î2╞( cö1F cöë1╩
00000550: 28 13 63 94-31 46 19 63-A2 8C 31 CA-18 A3 8C 31 ( cö1F cóî1╩ úî1
00000560: 51 C6 18 65-8C 89 32 C6-28 63 8C 32-C6 44 19 63 Q╞ eîë2╞(cî2╞D c
00000570: 94 31 46 19-63 A2 8C 31-CA 18 13 65-8C 51 C6 18 ö1F cóî1╩ eîQ╞
00000580: 65 8C 89 32-C6 28 63 8C-32 C6 44 19-63 94 31 26 eîë2╞(cî2╞D cö1&
000005A0: 32 C6 28 63-4C 94 31 46-19 63 94 31-26 CA 18 A3 2╞(cLö1F cö1&╩ ú
000005D0: 51 C6 18 65-62 8C 32 C6-28 63 8C 32-31 46 19 63 Q╞ ebî2╞(cî21F c
000005F0: 65 62 8C 32-C6 28 13 63-94 31 46 19-63 94 89 31 ebî2╞( cö1F cöë1
00000610: 32 C6 28 13-63 94 31 46-19 63 94 89-31 CA 18 A3 2╞( cö1F cöë1╩ ú
00000640: C6 18 65 8C-89 32 C6 28-63 8C 32 C6-44 19 63 94 ╞ eîë2╞(cî2╞D cö
00000650: 31 46 99 18-A3 8C 31 CA-18 13 65 8C-51 C6 18 65 1FÖ úî1╩ eîQ╞ e
00000660: 8C 89 32 C6-28 63 4C 94-31 46 19 63-94 31 26 CA îë2╞(cLö1F cö1&╩
00000680: C6 28 63 4C-94 31 46 19-63 94 31 26-CA 18 A3 8C ╞(cLö1F cö1&╩ úî
00000690: 31 51 C6 18-65 8C 51 C6-98 28 63 8C-32 C6 28 63 1Q╞ eîQ╞ÿ(cî2╞(c
000006B0: 18 65 DF D4-98 28 63 8C-32 C6 44 19-63 94 31 46 e▀╘ÿ(cî2╞D cö1F
00000700: 63 94 F5 31-46 59 1F 63-94 F5 31 46-59 1F 63 94 cö⌡1FY cö⌡1FY cö
00000710: F5 31 46 59-1F 63 94 F5-31 46 59 1F-63 94 F5 31 ⌡1FY cö⌡1FY cö⌡1
00000720: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
00000730: 1F 63 94 F5-31 46 59 1F-63 94 D5 31-46 59 1D 63 cö⌡1FY cö╒1FY c
00000740: 94 D5 31 46-59 1D 63 94-D5 31 46 59-1D 63 94 D5 ö╒1FY cö╒1FY cö╒
00000750: 31 46 59 1D-63 94 D5 31-46 59 1D 63-94 D5 31 46 1FY cö╒1FY cö╒1F
00000760: 59 1D 63 94-D5 31 46 59-1D 63 94 D5-31 46 59 1D Y cö╒1FY cö╒1FY
00000770: 63 94 D5 31-46 59 1D 63-94 D5 31 46-59 1D 63 94 cö╒1FY cö╒1FY cö
00000B00: 31 7F 19 75-AC 65 D3 31-7F 19 75 AC-65 D3 31 7F 1 u¼e╙1 u¼e╙1
00000B40: 60 82 - - - `é
00000000: 89 50 4E 47-0D 0A 1A 0A-00 00 00 0D-49 48 44 52 ëPNG IHDR
00000010: 00 00 02 64-00 00 02 64-08 03 00 00-00 88 CF CD d d ê╧═
00000320: 2A 63 94 31-36 65 33 46-19 63 A5 B2-19 A3 8C B1 *cö16e3F cÑ▓ úî▒
00000350: 71 78 46 59-1B 63 94 F5-31 46 59 1F-63 94 F5 31 qxFY cö⌡1FY cö⌡1
00000360: 46 59 1F 63-94 F5 31 46-59 1F 63 94-F5 31 46 59 FY cö⌡1FY cö⌡1FY
00000370: 1F 63 94 F5-31 46 59 1F-63 94 F5 31-46 59 1F 63 cö⌡1FY cö⌡1FY c
00000380: 94 F5 31 46-59 1F 63 94-F5 31 46 59-1F 63 94 F5 ö⌡1FY cö⌡1FY cö⌡
00000390: 31 46 59 1F-63 94 F5 31-46 59 1F 63-94 F5 31 46 1FY cö⌡1FY cö⌡1F
000003C0: D5 31 46 59-1D 63 94 D5-31 46 59 1D-63 94 D5 31 ╒1FY cö╒1FY cö╒1
To walk through a PNG
check the signature , followed by a chunk start
(typically IHDR)
then look for sequences like:
XX XX XX XX LL LL LL LL AA AA AA AA
4 random-looking bytes Ex: 88 CF CD 8E
a big-endian length Ex: 00 00 00 24
a 4-bytes alpha string Ex: PLTE
- Note the chunk type.
- Skip L bytes
(Repeat until chunk IEND).
no.png

View Slide

The same f ile, displayed with HexII and skipping data ranges
0000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
0010: 00 00 02 64 00 00 02 64 08 03 00 00 00 88 CF CD
0020: 8E 00 00 00 24 .P .L .T .E FF FF FF FF 7D 7D FF
0030: 6F 6F FF FE FE FF 7E 7E FF 00 00 FF 80 80 FF 6D
0040: 6D FF 6E 6E FF 30 30 FF FD FD FF 2F 2F A6 F0 78
0050: 4E 00 00 0A D9 .I .D .A .T 78 DA EC D2 D1 09 5A
0060: 01 14 86 31 B5 DE EE 3F 72 1F CF 00 3F 94 20 5F
....
0B20: A8 65 FB 31 78 59 C7 A8 65 5F 3A 96 FC 01 2A EE
0B30: B0 6C 0B 6E B3 BA 00 00 00 00 .I .E .N .D AE 42
0B40: 60 82
no.png
137

View Slide

The f ile's chunk map
0000: 89 .P .N .G \r \n ^Z \n 00 00 00 0D .I .H .D .R
0010: 00 00 02 64 00 00 02 64 08 03 00 00 00 88 CF CD
0020: 8E 00 00 00 24 .P .L .T .E FF FF FF FF 7D 7D FF
0030: 6F 6F FF FE FE FF 7E 7E FF 00 00 FF 80 80 FF 6D
0040: 6D FF 6E 6E FF 30 30 FF FD FD FF 2F 2F A6 F0 78
0050: 4E 00 00 0A D9 .I .D .A .T 78 DA EC D2 D1 09 5A
0060: 01 14 86 31 B5 DE EE 3F 72 1F CF 00 3F 94 20 5F
0B20: A8 65 FB 31 78 59 C7 A8 65 5F 3A 96 FC 01 2A EE
0B30: B0 6C 0B 6E B3 BA 00 00 00 00 .I .E .N .D AE 42
0B40: 60 82
0000-0007: Signature 89 .P .N .G \r \n ^Z \n
0008-0020: Image Header 00 00 00 0D .I .H .D .R…88 CF CD 8E
0021-0050: Palette 00 00 00 24 .P .L .T .E…A6 F0 78 4E
0051-0B34: Data 00 00 0A D9 .I .D .A .T…0B 6E B3 BA
0B35-0B41: End 00 00 00 00 .I .E .N .D AE 42 60 82
no.png
PALETTE
HEADER
DATA
END
138

View Slide

The PNG format is really
easy to parse or manipulate at chunk level.
import struct
import binascii
_MAGIC = b"\x89PNG\x0d\x0a\x1a\x0a"
_crc32 = lambda d:(binascii.crc32(d) % 0x100000000)
def parse(f):
assert f.read(8) == _MAGIC
chunks = []
while (True):
l, = struct.unpack(">I", f.read(4))
t = f.read(4)
d = f.read(l)
assert _crc32(t + d) == struct.unpack(">I", f.read(4))[0]
chunks += [[t, d]]
if t == b"IEND":
return chunks
raise(BaseException("Invalid image"))
def make(chunks):
s = [_MAGIC]
for t, d in chunks:
s += [
struct.pack(">I", len(d)),
t,
d,
struct.pack(">I", _crc32(t + d))
]
return "".join(s)
Cf minipng.py
139

View Slide

- lower-case chunk are ignored. aLIG/cOLL/sKIP/wHAT/eVER/…
- 3 chunks to add:
1. alignment
2. collision:aligned with UniColl’s 10th character
to jump over collision blocks with variable length.
3. skip: one to land successfully, and jump over the first image.
- we can copy the whole images’ contents after their signature:
they’re made of sequence of chunks, no need to parse them.
Recap: exploit strategy
140

View Slide

Inserting chunks still keeps a PNG f ile valid.
0000: 89 .P .N .G \r \n ^Z \n 00 00 00 33 .a .L .I .G
0010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0040: 00 00 00 57 93 27 27 00 00 00 71 .c .O .L .L 00
0050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00C0: 32 B8 1F CE 00 00 00 0D .I .H .D .R 00 00 02 64
00D0: 00 00 02 64 08 03 00 00 00 88 CF CD 8E 00 00 00
00E0: 24 .P .L .T .E FF FF FF FF 7D 7D FF 6F 6F FF FE
0BE0: A8 65 FB 31 78 59 C7 A8 65 5F 3A 96 FC 01 2A EE
0BF0: B0 6C 0B 6E B3 BA 00 00 00 00 .I .E .N .D AE 42
0C00: 60 82
0000-0007: Signature
0008-0046: Alignment 00 00 00 33 .a .L .I .G…57 93 27 27
0047-00C3: UniColl 00 00 00 71 .c .O .L .L…32 B8 1F CE
00C4-00DC: Image Header 00 00 00 0D .I .H .D .R…88 CF CD 8E
00DD-010C: Palette 00 00 00 24 .P .L .T .E…A6 F0 78 4E
010D-0BF1: Data 00 00 0A D9 .I .D .A .T…0B 6E B3 BA
0BF2-0BFD: End 00 00 00 00 .I .E .N .D AE 42 60 82
UNICOLL
ALIGNMENT
Source example:
chunks = [
["aLIG", 0x33*"\0"],
["cOLL", 0x71*"\0"],
] + read(fNo)
141

View Slide

Length
.
Type
.
CRC32
.
Mission
0000: 89 .P .N .G \r \n ^Z \n 00 00 00 33 .a .L .I .G
0010: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0020: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0030: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0040: ?? ?? ?? ?? ?? ?? ?? 00-00 00 71 .c .O .L .L ??
0050: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0060: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0070: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0080: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0090: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
00A0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
00B0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
00C0: ?? ?? ?? ?? XX XX XX XX .s .K .I .P ?? ?? ?? ??
[...]
01C0: ?? ?? ?? ?? ?? ?? ?? ?? .I .H .D .R ?? ?? ?? ??
01D0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[...]
????: ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82 ?? ??
????: ?? ?? 00 00 20 00 .I .H .D .R ?? ?? ?? ?? ?? ??
[...]
????: ?? ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82
142
3 dummy chunks: alignment, collision and jump over (the f irst image) data

View Slide

0000: 89 .P .N .G \r \n ^Z \n 00 00 00 33 .a .L .I .G
0010: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0020: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0030: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0040: ?? ?? ?? ?? ?? ?? ?? 00-00 00 71 .c .O .L .L ??
0050: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0060: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0070: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0080: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
0090: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
00A0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
00B0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
00C0: ?? ?? ?? ?? XX XX XX XX .s .K .I .P ?? ?? ?? ??
[...]
01C0: ?? ?? ?? ?? ?? ?? ?? ?? .I .H .D .R ?? ?? ?? ??
01D0: ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ?? ??
[...]
????: ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82 ?? ??
????: ?? ?? 00 00 20 00 .I .H .D .R ?? ?? ?? ?? ?? ??
[...]
????: ?? ?? ?? 00 00 00 00 .I .E .N .D AE 42 60 82
Alignment chunk
Chunks
A
Chunks
B
UniColl chunk
Here's a working script for reference. 143

View Slide

Need to explore by yourself?
144
Open Kaitai IDE with the lightweight PoCs
https://ide.kaitai.io/ + https://github.com/corkami/collisions/blob/master/examples/free/README.md

View Slide

Kaitai tricks
Only the high level structure is useful:
-> simpler grammar can be better.
Looser logic can be required:
Ex: IHDR chunk not in the first slot.
ICYDK You can directly edit the grammar in the IDE!
(the modified copy will be automatically saved in your local storage)
meta:
id: png
file-extension: png
endian: be
seq:
- id: magic
contents: [137, 80, 78, 71, 13, 10, 26, 10]
- id: chunks
type: chunk
repeat: until
repeat-until: _.type == "IEND" or _io.eof
types:
chunk:
seq:
- id: len
type: u4
- id: type
type: str
size: 4
encoding: UTF-8
- id: body
size: len
- id: crc
size: 4
Simplif ied PNG grammar
png_simple.ksy
145

View Slide

# Standard PNG image.
0 string \x89PNG\x0d\x0a\x1a\x0a\x00\x00\x00\x0DIHDR PNG image data
Know the format landscape
All PNG viewers seem to ignore CRCs.
Most PNG viewers tolerate starting w/ a dummy chunk.
-> generic collisions for any PNG pair
OS X (Safari, Preview) enforce an IHDR chunk first:
and dimensions and colorspace are in the common prefix
-> Study the landscape to understand the scope of your exploit.
https://github.com/file/file/blob/master/magic/Magdir/images#L440-L441
They support the undocumented CgBI chunk,
But they enforce the specs more than anyone else!
146

View Slide

Collision exploit
Reusable PNG via UniColl
Certificate (medium)
Ange Albertini
INSTRUCTOR
COLLT IS
147

View Slide

Correct CRCs in UniColliding-PNG ?
- CRCs are ignored
- the collision blocks have different contents
+ the collision blocks also change the length of the chunk
-> 2 different CRCs for different lengths of the collision chunk
-> correct CRCs are possible
148

View Slide

149

View Slide

The two Identical Pref ix Collisions against MD5
📏
⌛
‽
two blocks
a few minutes
in pref ix
📏
⌛
‽
two blocks
a few seconds
in the middle
FastColl
UniColl
150

View Slide

IPCs limitations
Some formats have hardcoded offsets, or don’t tolerate early comments
Same prefix -> same file type
Same header -> same metadata
Enforced checksums prevent validity.
Only the length of a current structure level can be manipulated.
151

View Slide

Chosen-Pref ix Collisions
The ultimate attack
HashClashCPC
152

View Slide

Our third block:
a Chosen Pref ix hash Collision
153

View Slide

Hashclash
Master of backtracking
Takes 72h.core hours to compute - if you’re lucky:
Often requires backtracking, but it's now automated..
The fewer the collision blocks,
the longer to compute.
EXAMPLE OF A COMPUTATION LOG:
Corkami collisions:examples/cpc.txt
A word of warning on CPC
154

View Slide

Trivial: run scripts/cpc.sh prefix1 prefix2
No monitoring required (unlike previous versions)
Launching a hashclash computation
...
[*] Timeout reached. Killing process with pid 5760
Killed
[*] Step 5 failed. Backtracking to step 4
[*] Number of backtracks until now: 1
[*] Time before backtrack: 2400 s
[*] Starting step 4
...
155

View Slide

A 9-block CPC of yes and no. (differences are irrelevant)
Collision blocks
Random buffer
(partial birthday attack bits)
Padding 0000: .n .o 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0030: 00 00 00 00-00 00 00 00-19 71 E7 F7-09 72 FB 06
0040: F3 45 26 13-66 60 C8 01-B9 2A 75 25-5A 67 23 A6
0050: 92 3D EB 8D-B0 B7 57 F1-45 9F 22 95-BE C0 43 75
0060: 91 98 A2 D3-E0 FD 59 ED-D1 C5 FA 0B-79 65 97 51
0070: B3 B3 E4 0C-11 0C 90 32-DE 4B A1 4B-B8 1B 5E C8
0080: 25 D3 8F 19-CD 10 43 07-D9 BB FF 8C-B7 5A 23 F9
0090: 4D D8 13 14-58 A3 35 97-C5 D1 D4 A9-9A E2 FD 1F
00A0: BA 78 40 00-C3 7E 93 B2-31 A3 6E 2D-34 72 4A C9
00B0: 53 4E C0 45-36 1E C8 6A-56 98 E6 F0-57 1D 61 98
00C0: 13 FC FF CD-4D 83 A2 D2-BB B8 DC 04-2B E2 B8 83
00D0: DB 53 80 D7-3D E9 97 D3-23 5A 27 F9-98 9A E7 56
00E0: 7D 86 E4 35-1E B8 33 EE-EA 15 D1 81-FA 96 62 EC
00F0: 75 31 FB DA-4F AE 24 6F-67 D6 AF 10-96 29 FB C7
0100: A3 32 BB A9-EA D5 E4 AE-1F C2 FB 23-41 22 B2 E0
0110: 69 1E 29 20-6F 5B 20 1E-5E 3D 11 2F-3E 4D 9F 39
0120: 8B C9 5C 93-A5 EF A4 22-7D 9A 66 51-6E ED AF 70
0130: 32 90 D4 BD-67 92 38 9B-DC 15 0D BF-DC 71 72 27
0140: E0 5B 43 FA-44 59 E8 60-F7 63 7F F0-73 0A D4 BE
0150: 33 28 AA 99-2C 90 2D D0-01 58 E3 8F-58 50 30 99
0160: E8 60 DB 91-00 13 C9 1D-7A 61 9B 9A-5D 60 BD 71
0170: 23 1A D2 BD-A6 E0 38 66-0B 8C F5 99-56 79 63 D6
0180: 6E 5E D7 7E-C3 4E 9D 5F-65 23 C0 38-C9 55 5A A1
0190: E2 3C CA 78-58 4D B5 3B-04 45 C3 B4-44 C8 87 26
01A0: 02 60 F6 62-91 34 70 FE-C3 34 54 6D-76 07 FF 1A
01B0: 73 53 E6 0B-08 FB 82 80-AD 5F 22 15-18 69 B5 6E
01C0: BB 06 C3 A7-FF 39 15 52-BE FE D4 5C-D2 55 5A 71
01D0: EC E9 BC 1A-B7 BB 08 61-C5 3E E7 89-7C 93 03 FC
01E0: 1F 8A 9A D8-42 BF 6C 01-6A 39 26 84-6C 58 E2 E4
01F0: 00 D4 67 7B-27 BD 93 6D-DF F0 10 4A-2B 00 7E 68
0200: 1D DE D5 8A-67 89 EA 52-0C 32 BD 30-A2 8C BE D0
0210: A7 35 BA C6-BB 7D 07 80-49 22 EF E5-10 B2 83 6D
0220: E6 18 6E E3-F0 52 E4 35-83 61 42 35-72 97 CD 8D
0230: 4F F7 93 68-5A 70 5F 5A-04 3A D5 42-C1 FA 0F E2
0240: AE 57 DB AF-F1 51 B8 B7-38 18 EF 2E-B8 A6 A9 2C
0250: 81 87 FA FE-B2 C4 DC 45-A3 64 91 6D-B8 6E F5 D1
0260: 4F 9C FA 62-3D 42 46 59-67 32 EC 99-DA 89 7A 08
0270: E7 AD E3 21-ED 3C 4B C0-4D 9F 83 3C-DC 7F B7 0A
0000: .y .e .s 00-00 00 00 00-00 00 00 00-00 00 00 00
0010: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0030: 00 00 00 00-00 00 00 00-B7 46 38 09-8A 46 F1 7B
0040: F3 45 26 13-66 60 C8 01-B9 2A 75 25-5A 67 23 A6
0050: 92 3D EB 8D-B0 B7 57 F1-45 9F 22 95-BE C0 43 75
0060: 91 98 A2 D3-E0 FD 59 ED-D1 C5 FA 0B-79 65 97 4D
0070: B3 B3 E4 0C-11 0C 90 32-DE 4B A1 4B-B8 1B 5E C8
0080: 25 D3 8F 19-CD 10 43 07-D9 BB FF 8C-B7 5A 23 F9
0090: 4D D8 13 14-58 A3 35 97-C5 D1 D4 A9-9A E2 FD 1F
00A0: BA 78 40 00-C3 7E 93 B2-31 A3 6E 2D-34 6A 4A C9
00B0: 53 4E C0 45-36 1E C8 6A-56 98 E6 F0-57 1D 61 98
00C0: 13 FC FF CD-4D 83 A2 D2-BB B8 DC 04-2B E2 B8 83
00D0: DB 53 80 D7-3D E9 97 D3-23 5A 27 F9-98 9A E7 56
00E0: 7D 86 E4 35-1E B8 33 EE-EA 15 D1 81-BA 96 62 EC
00F0: 75 31 FB DA-4F AE 24 6F-67 D6 AF 10-96 29 FB C7
0100: A3 32 BB A9-EA D5 E4 AE-1F C2 FB 23-41 22 B2 E0
0110: 69 1E 29 20-6F 5B 20 1E-5E 3D 11 2F-3E 4D 9F 39
0120: 8B C9 5C 93-A5 EF A4 22-7D 9A 66 51-6E ED AD 70
0130: 32 90 D4 BD-67 92 38 9B-DC 15 0D BF-DC 71 72 27
0140: E0 5B 43 FA-44 59 E8 60-F7 63 7F F0-73 0A D4 BE
0150: 33 28 AA 99-2C 90 2D D0-01 58 E3 8F-58 50 30 99
0160: E8 60 DB 91-00 13 C9 1D-7A 61 9B 9A-5D 5E BD 71
0170: 23 1A D2 BD-A6 E0 38 66-0B 8C F5 99-56 79 63 D6
0180: 6E 5E D7 7E-C3 4E 9D 5F-65 23 C0 38-C9 55 5A A1
0190: E2 3C CA 78-58 4D B5 3B-04 45 C3 B4-44 C8 87 26
01A0: 02 60 F6 62-91 34 70 FE-C3 34 54 6D-76 07 7F 1A
01B0: 73 53 E6 0B-08 FB 82 80-AD 5F 22 15-18 69 B5 6E
01C0: BB 06 C3 A7-FF 39 15 52-BE FE D4 5C-D2 55 5A 71
01D0: EC E9 BC 1A-B7 BB 08 61-C5 3E E7 89-7C 93 03 FC
01E0: 1F 8A 9A D8-42 BF 6C 01-6A 39 26 84-74 58 E2 E4
01F0: 00 D4 67 7B-27 BD 93 6D-DF F0 10 4A-2B 00 7E 68
0200: 1D DE D5 8A-67 89 EA 52-0C 32 BD 30-A2 8C BE D0
0210: A7 35 BA C6-BB 7D 07 80-49 22 EF E5-10 B2 83 6D
0220: E6 18 6E E3-F0 52 E4 35-83 61 42 35-72 97 C5 8D
0230: 4F F7 93 68-5A 70 5F 5A-04 3A D5 42-C1 FA 0F E2
0240: AE 57 DB AF-F1 51 B8 B7-38 18 EF 2E-B8 A6 A9 2C
0250: 81 87 FA FE-B2 C4 DC 45-A3 64 91 6D-B8 6E F5 D1
0260: 4F 9C FA 62-3D 42 46 59-67 32 EC 99-DA 89 7A 88
0270: E7 AD E3 21-ED 3C 4B C0-4D 9F 83 3C-DC 7F B7 0A 156

View Slide

So, we have two f iles. Any pair of f iles. We can see them as pref ixes.
157

View Slide

Padding, as usual
Pad both files to the same length,
to a block boundary minus 12 (0xC) bytes.
Padding content doesn't matter.
158

View Slide

Computation
We compute a collision,
that appends different blocks to both files.
It makes sense only if
both formats tolerate appended data.
(or cover it by a comment).
Block differences are irrelevant in this case.
(we entirely control both prefixes).
159

View Slide

📏
⌛
‽
Almighty, but slower
HashClash
HashClash
7-9 blocks
A few hours
Irrelevant
160

View Slide

Input: two arbitrary pref ixes
Their content and length don’t matter.
Shorter prefixes don’t make anything faster.
Both are padded to the same size.
The last 12 bytes before the collision blocks are used for the attack.
They're always different.
After, blocks of collision are appended (by default, 9 of them)
.
--maxblocks 9
161

View Slide

The 2 steps of a CPC
First, a single Birthday Search,
then near-collision computation for each block.
(which may require backtracking)
Only the Birthday Search benefits from GPU.
The B.S. doesn't require any backtracking.
162

View Slide

The fewer the blocks, the more complex the B.S.
- 400kH for a single block CPC.
- 7-9 blocks is a good trade-off for desktop computation.
9 239 2009
3 249 2009
2 246 2019
1 253 2009
# Blocks
Complexity
Attack publication
163

View Slide

Impact of a CPC
If two files formats tolerate appended data:
Compute collision. Done.
+ Straightforward
- Only works for a single pair
164

View Slide

Identical Pref ix
vs
Chosen Pref ix
Recap
165

View Slide

IPC: both contents in each file.
(You might leak your payload)
From a content perspective
166
CPC: Only one content per file.
(evil payload not in the good file)

View Slide

IPC: Deeply modified file structures.
Weird header, 2 payloads, possibly split.
From a f ile perspective
167
CPC: Each file starts exactly like before.
It's just appended data.

View Slide

IPC: Can reuse precomputed collision
so instant generation can be possible.
From a computing perspective
168
CPC: No re-usability: same computation every time.
-> no optimization, no shortcut.

View Slide

⨉
Combining CPC flexibility
with IPC re-usability
Level-up: IPC(CPC)
=
169

View Slide

Using CPC as a pref ix like an IPC
More computing than IPC, but less restrictive.
Do a CPC with headers rather than whole files.
Append body/footer of 2 files.
Enables mixing file types:
- valid/invalid files
- polyglot collisions
170

View Slide

PE collisions
via a CPC used like an IPC
171

View Slide

0000: 4D 5A 90 00-03 00 00 00-04 00 00 00-FF FF 00 00 MZÉ ♥ ♦
0010: B8 00 00 00-00 00 00 00-40 00 00 00-00 00 00 00 ╕ @
0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0030: 00 00 00 00-00 00 00 00-00 00 00 00-E8 00 00 00 Φ
0040: 0E 1F BA 0E-00 B4 09 CD-21 B8 01 4C-CD 21 54 68 ♫▼║♫ ┤○═!╕☺L═!Th
0050: 69 73 20 70-72 6F 67 72-61 6D 20 63-61 6E 6E 6F is program canno
0060: 74 20 62 65-20 72 75 6E-20 69 6E 20-44 4F 53 20 t be run in DOS
0070: 6D 6F 64 65-2E 0D 0D 0A-24 00 00 00-00 00 00 00 mode.♪♪◙$
0080: 59 09 56 C8-1D 68 38 9B-1D 68 38 9B-1D 68 38 9B Y○V╚↔h8¢↔h8¢↔h8¢
0090: 0E 60 51 9B-1F 68 38 9B-18 64 37 9B-07 68 38 9B ♫`Q¢▼h8¢↑d7¢•h8¢
00A0: 18 64 58 9B-3C 68 38 9B-18 64 67 9B-8F 68 38 9B ↑dX¢00B0: 9E 60 65 9B-1E 68 38 9B-1D 68 39 9B-43 68 38 9B ₧`e¢▲h8¢↔h9¢Ch8¢
00C0: 18 64 5C 9B-14 68 38 9B-F1 63 66 9B-1C 68 38 9B ↑d\¢¶h8¢±cf¢∟h8¢
00D0: 18 64 62 9B-1C 68 38 9B-52 69 63 68-1D 68 38 9B ↑db¢∟h8¢Rich↔h8¢
00E0: 00 00 00 00-00 00 00 00-50 45 00 00-4C 01 04 00 PE L☺♦
00F0: 4A 24 52 44-00 00 00 00-00 00 00 00-E0 00 0F 01 J$RD α ☼☺
0100: 0B 01 07 0A-00 10 03 00-00 E0 00 00-00 00 00 00 ♂☺•◙ ►♥ α
0110: 6F 9C 01 00-00 10 00 00-00 20 03 00-00 00 40 00 o£☺ ► ♥ @
0120: 00 10 00 00-00 10 00 00-04 00 00 00-01 00 00 00 ► ► ♦ ☺
0130: 04 00 00 00-00 00 00 00-00 00 04 00-00 10 00 00 ♦ ♦ ►
0140: B3 B5 04 00-03 00 00 00-00 00 10 00-00 10 00 00 │╡♦ ♥ ► ►
0150: 00 00 10 00-00 10 00 00-00 00 00 00-10 00 00 00 ► ► ►
0160: 00 00 00 00-00 00 00 00-58 8E 03 00-28 00 00 00 XÄ♥ (
0170: 00 F0 03 00-20 03 00 00-00 00 00 00-00 00 00 00 ≡♥ ♥
0180: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0190: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
01A0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
01B0: 60 50 03 00-48 00 00 00-00 00 00 00-00 00 00 00 `P♥ H
01C0: 00 20 03 00-0C 01 00 00-00 00 00 00-00 00 00 00 ♥ ♀☺
01D0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
01E0: 2E 74 65 78-74 00 00 00-4A 00 03 00-00 10 00 00 .text J ♥ ►
01F0: 00 10 03 00-00 10 00 00-00 00 00 00-00 00 00 00 ►♥ ►
0200: 00 00 00 00-20 00 00 60-2E 72 64 61-74 61 00 00 `.rdata
0210: 36 74 00 00-00 20 03 00-00 80 00 00-00 20 03 00 6t ♥ Ç ♥
0220: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
0230: 2E 64 61 74-61 00 00 00-B8 40 00 00-00 A0 03 00 .data ╕@ á♥
0240: 00 30 00 00-00 A0 03 00-00 00 00 00-00 00 00 00 0 á♥
0250: 00 00 00 00-40 00 00 C0-2E 72 73 72-63 00 00 00 @ └.rsrc
0260: 20 03 00 00-00 F0 03 00-00 10 00 00-00 D0 03 00 ♥ ≡♥ ► ╨♥
0270: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
0280: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0FE0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0FF0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
1000: 6A FF 68 98-02 43 00 64-A1 00 00 00-00 50 64 89 j hÿ☻C dí Pdë
1010: 25 00 00 00-00 51 56 8B-F1 89 74 24-04 E8 F0 7C % QVï±ët$♦Φ≡|
1020: 01 00 33 C0-89 44 24 10-8D 4E 0C C7-06 F0 21 43 ☺ 3└ëD$►ìN♀╟♠≡!C
1030: 00 6A FF 89-41 14 C7 41-18 0F 00 00-00 50 88 41 j ëA¶╟A↑☼ PêA
Number Name VSize Address PSize Offset Flag
1 .text 0003004A 00001000 00031000 00001000 60000020
2 .rdata 00007436 00032000 00008000 00032000 40000040
3 .data 000040B8 0003A000 00003000 0003A000 C0000040
4 .rsrc 00000320 0003F000 00001000 0003D000 40000040
- DOS header points to PE header.
- in between, DOS Stub (16 bit code),
& Rich header (MS Linker information)
- PE header contains all the critical information
including sections mapping ( offsets -> address)
Anatomy of a typical PE f ile
PE Header
(critical)
Dos Header:
declares Executable,
points to PE Header.
Dos Stub
(old 16b code)
Rich Header
(MS linker information)
Points to
172

View Slide

0000: 4D 5A 90 00-03 00 00 00-04 00 00 00-FF FF 00 00 MZÉ ♥ ♦
0010: B8 00 00 00-00 00 00 00-40 00 00 00-00 00 00 00 ╕ @
0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0030: 00 00 00 00-00 00 00 00-00 00 00 00-E8 00 00 00 Φ
0040: 0E 1F BA 0E-00 B4 09 CD-21 B8 01 4C-CD 21 54 68 ♫▼║♫┤○═!╕☺L═!Th
0050: 69 73 20 70-72 6F 67 72-61 6D 20 63-61 6E 6E 6F is program canno
0060: 74 20 62 65-20 72 75 6E-20 69 6E 20-44 4F 53 20 t be run in DOS
0070: 6D 6F 64 65-2E 0D 0D 0A-24 00 00 00-00 00 00 00 mode.♪♪◙$
0080: 59 09 56 C8-1D 68 38 9B-1D 68 38 9B-1D 68 38 9B Y○V╚↔h8¢↔h8¢↔h8¢
0090: 0E 60 51 9B-1F 68 38 9B-18 64 37 9B-07 68 38 9B ♫`Q¢▼h8¢↑d7¢•h8¢
00A0: 18 64 58 9B-3C 68 38 9B-18 64 67 9B-8F 68 38 9B ↑dX¢00B0: 9E 60 65 9B-1E 68 38 9B-1D 68 39 9B-43 68 38 9B ₧`e¢▲h8¢↔h9¢Ch8¢
00C0: 18 64 5C 9B-14 68 38 9B-F1 63 66 9B-1C 68 38 9B ↑d\¢¶h8¢±cf¢∟h8¢
00D0: 18 64 62 9B-1C 68 38 9B-52 69 63 68-1D 68 38 9B ↑db¢∟h8¢Rich↔h8¢
00E0: 00 00 00 00-00 00 00 00-50 45 00 00-4C 01 04 00 PE L☺♦
00F0: 4A 24 52 44-00 00 00 00-00 00 00 00-E0 00 0F 01 J$RD α ☼☺
0100: 0B 01 07 0A-00 10 03 00-00 E0 00 00-00 00 00 00 ♂☺•◙ ►♥ α
0110: 6F 9C 01 00-00 10 00 00-00 20 03 00-00 00 40 00 o£☺ ► ♥ @
0120: 00 10 00 00-00 10 00 00-04 00 00 00-01 00 00 00 ► ► ♦ ☺
0130: 04 00 00 00-00 00 00 00-00 00 04 00-00 10 00 00 ♦ ♦ ►
0140: B3 B5 04 00-03 00 00 00-00 00 10 00-00 10 00 00 │╡♦ ♥ ► ►
0150: 00 00 10 00-00 10 00 00-00 00 00 00-10 00 00 00 ► ► ►
0160: 00 00 00 00-00 00 00 00-58 8E 03 00-28 00 00 00 XÄ♥ (
0170: 00 F0 03 00-20 03 00 00-00 00 00 00-00 00 00 00 ≡♥ ♥
0180: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0190: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
01A0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
01B0: 60 50 03 00-48 00 00 00-00 00 00 00-00 00 00 00 `P♥ H
01C0: 00 20 03 00-0C 01 00 00-00 00 00 00-00 00 00 00 ♥ ♀☺
01D0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
01E0: 2E 74 65 78-74 00 00 00-4A 00 03 00-00 10 00 00 .text J ♥ ►
01F0: 00 10 03 00-00 20 00 00-00 00 00 00-00 00 00 00 ►♥ ►
0200: 00 00 00 00-20 00 00 60-2E 72 64 61-74 61 00 00 `.rdata
0210: 36 74 00 00-00 20 03 00-00 80 00 00-00 30 03 00 6t ♥ Ç ♥
0220: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
0230: 2E 64 61 74-61 00 00 00-B8 40 00 00-00 A0 03 00 .data ╕@ á♥
0240: 00 30 00 00-00 B0 03 00-00 00 00 00-00 00 00 00 0 á♥
0250: 00 00 00 00-40 00 00 C0-2E 72 73 72-63 00 00 00 @ └.rsrc
0260: 20 03 00 00-00 F0 03 00-00 10 00 00-00 E0 03 00 ♥ ≡♥ ► ╨♥
0270: 00 00 00 00-00 00 00 00-00 00 00 00-40 00 00 40 @ @
0280: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
2000: 6A FF 68 98-02 43 00 64-A1 00 00 00-00 50 64 89 j hÿ☻C dí Pdë
2010: 25 00 00 00-00 51 56 8B-F1 89 74 24-04 E8 F0 7C % QVï±ët$♦Φ≡|
2020: 01 00 33 C0-89 44 24 10-8D 4E 0C C7-06 F0 21 43 ☺ 3└ëD$►ìN♀╟♠≡!C
2030: 00 6A FF 89-41 14 C7 41-18 0F 00 00-00 50 88 41 j ëA¶╟A↑☼ PêA
- DOS header only contains 2 important fields,
the rest is irrelevant.
- Dos Stub and Rich header can be removed.
- PE header can be moved further: just update its pointer .
- Sections can be moved further: just adjust offsets .
Abusing PE f iles
Number Name VSize Address PSize Offset Flag
1 .text 0003004A 00001000 00031000 00002000 60000020
2 .rdata 00007436 00032000 00008000 00033000 40000040
3 .data 000040B8 0003A000 00003000 0003B000 C0000040
4 .rsrc 00000320 0003F000 00001000 0003E000 40000040
only Magic and
pointers are important
can be removed
can be removed
173

View Slide

- DOS header is generic
Pointers to 2 headers, over collision blocks.
- Dos Stub and Rich header are discarded
to make place for collision blocks
- Two PE Headers that follow each other
- both sections sets have adjusted offsets.
-> Reusable and instant PE collision
Windows PE collisions 0000: 4D 5A 90 00-03 00 00 00-04 00 00 00-FF FF 00 00 MZÉ ♥ ♦
0010: B8 00 00 00-00 00 00 00-40 00 00 00-00 00 00 00 ╕ @
0020: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
0030: 00 00 00 00-00 00 00 00-00 00 00 00--80 04 00 00 Ç♦
00040: 2F 3D 2D 3D-2D 3D 2D 3D-2D 3D 2D 3D-2D 3D 2D 5C /=-=-=-=-=-=-=-\
00050: 7C 50 45 20-43 50 43 20-48 65 61 64-65 72 00 7C |PE CPC Header |
00060: 5C 2D 3D 2D-3D 2D 3D 2D-3D 2D 3D 2D-3D 2D 3D 2F \-=-=-=-=-=-=-=/
00070: 41 6E 67 65-00 00 00 00-50 9F 71 32-3D 49 75 DD Ange Pƒq2=Iu▌
00080: E3 45 20 DB-90 D9 F9 1A-1E 32 55 D1-4D C9 14 F6 πE █É┘∙→▲2U╤M╔¶÷
00090: AD D9 79 C8-3E D7 22 3D-EF AB 83 E8-DD CB 87 F0 ¡┘y╚>╫"=∩½âΦ▌╦ç≡
...
002B0: F2 C8 C5 E0-7D 7C 29 D8-91 36 41 37-D0 8D 04 E5 ≥╚┼α}|)╪æ6A7╨ì♦σ
002C0: 50 45 00 00-4C 01 04 00-4A 24 52 44-00 00 00 00 PE L☺♦ J$RD
002D0: 00 00 00 00-E0 00 0F 01-0B 01 07 0A-00 10 03 00 α ☼☺♂☺•◙ ►♥
002E0: 00 E0 00 00-00 00 00 00-6F 9C 01 00-00 10 00 00 α o£☺ ►
002F0: 00 20 03 00-00 00 40 00-00 10 00 00-00 10 00 00 ♥ @ ► ►
00300: 04 00 00 00-01 00 00 00-04 00 00 00-00 00 00 00 ♦ ☺ ♦
00470: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00480: 50 45 00 00-4C 01 04 00-E7 81 0C 54-00 00 00 00 PE L☺♦ τü♀T
00490: 00 00 00 00-E0 00 03 01-0B 01 09 00-00 9E 03 00 α ♥☺♂☺○ ₧♥
004A0: 00 A2 01 00-00 00 00 00-CC 91 02 00-00 10 00 00 ó☺ ╠æ☻ ►
004B0: 00 B0 03 00-00 00 40 00-00 10 00 00-00 02 00 00 ░♥ @ ► ☻
...
007E0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
007F0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00800: 8B 44 24 0C-8B 4C 24 10-57 8B 7C 24-0C 8D 57 01 ïD$♀ïL$►Wï|$♀ìW☺
00810: C7 00 00 00-00 00 52 C7-01 00 00 00-00 E8 09 6A ╟ R╟☺ Φ○j
00820: 02 00 83 C4-04 85 C0 75-02 5F C3 56-33 C9 33 F6 ☻ â─♦à└u☻_├V3╔3÷
...
54FF0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
55000: 6A FF 68 98-02 43 00 64-A1 00 00 00-00 50 64 89 j hÿ☻C dí Pdë
55010: 25 00 00 00-00 51 56 8B-F1 89 74 24-04 E8 F0 7C % QVï±ët$♦Φ≡|
55020: 01 00 33 C0-89 44 24 10-8D 4E 0C C7-06 F0 21 43 ☺ 3└ëD$►ìN♀╟♠≡!C
55030: 00 6A FF 89-41 14 C7 41-18 0F 00 00-00 50 88 41 j ëA¶╟A↑☼ PêA
...
91FF0: 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
C0 02 00 00
Dos Header
(prefix w/ 2 values)
Alignments and
collision blocks
PE Header 1
PE Header 2
Sections set 1
Sections set 2
points to
points to
maps
maps
174

View Slide

Recap: CPC-IPC exploitation for PE f iles
1. Craft 2 DOS headers with enough difference:
- 1 block of alignment, 9 blocks of collision + 1 PE header
2. Compute CPC (a few hours)
3. Copy PE headers. Append sections.
Adjust Sections offsets.
-> instant collision of any pair of PE files
(with no code modification)
175

View Slide

Chaining collisions
176

View Slide

Chaining collisions
A collision makes two different contents have the same hash.
-> they can be chained like a tree.
Top nodes can be an IPC, others CPCs or UniColl
-> colliding more than 2 files
N collisions makes N+1 contents collide
177

View Slide

Collisions trees
PoeMD5:
8 UniColls displayed on the page.
https://github.com/corkami/collisions#pdf
A pile-up of 3 HashClashes
to collide 4 file types.
Nostradamus (2007):
11 HashClashes for 12 PDFs
https://www.win.tue.nl/hashclash/Nostradamus/
178

View Slide

All the known (implemented) collisions attacks on SHA1
179
📏
⌛
‽
2 blocks
11K USD
Start & end
Shattered
📏
⌛
‽
9 blocks
45K USD
Irrelevant
Shambles

View Slide

Shattered
a SHA-1 IPC
180

View Slide

Shattered
- an IPC for Sha1
- Computed only once (?)
- Differences at start and end
-> “easy” to exploit
Official PoCs: JPGs in PDFs
(PDFs embed JPGs natively)
📏
⌛
‽
2 blocks
6K years
Start & end
181

View Slide

Shattered f iles layout: different length => skip f irst image data
182

View Slide

Most formats declare Lengths before Type (LTV):
-> not good for hash collisions (type declaration is in random bytes)
JPG & MP4* are TLV & big endian -> exploitable w/ Shattered
Declare comment (FF FE for JPG, free for MP4)
then abuse length with collision difference.
Length / Type / Value <-> Type / Length / Value
*with 64b lengths
183

View Slide

For more details about Shattered exploitation:
https://speakerdeck.com/ange/exploiting-hash-collisions (2017)
184

View Slide

Shambles
a SHA-1 CPC
185

View Slide

186
0 1 2 3 4 5 6 7 01234567 0 1 2 3 4 5 6 7 01234567
99040d047fe81780 ........ 99030d047fe81780 ........
012000ff4b657920 . ..Key 011800ff50726163 ....Prac
6973207061727420 is part 746963616c205348 tical SH
6f66206120636f6c of a col 412d312063686f73 A-1 chos
6c6973696f6e2120 lision! 656e2d7072656669 en-prefi
4974277320612074 It's a t 7820636f6c6c6973 x collis
7261702179c61af0 rap!y... 696f6e211d276c6b ion!.'lk
afcc054515d9274e ...E..'N a661e1040e1f7d76 .a....}v
7307624b1dc7fb23 s.bK...# 7f076249ddc7fb33 ..bI...3
988bb8de8b575dba .....W]. 2c8bb8c2b7575dbe ,....W].
7b9eab31c1674b6d {..1.gKm c79eab2be1674b7d ...+.gK}
...
05a404fbdb12fc45 .......E 05a404f76312fc55 ....c..U
4d41fdd95cf24596 MA..\.E. 4141fddb9cf24586 AA....E.
64a2ad032d1da60a d...-... d0a2ad1f111da60e ........
73264075d7f1e0d6 s&@u.... cf26406ff7f1e0c6 .&@o....
c1403ae7a0d861df [email protected]:...a. e5403afb4cd861cb [email protected]:.L.a.
3fe5707188dd5e07 ?.pq..^. 33e5707348dd5e17 3.psH.^.
d1589b9f8b663055 .X...f0U 65589b83a7663051 eX...f0Q
3f8fc352b3e0c27d ?..R...} 838fc34a03e0c26d ...J...m
a80bddba4c64020d ....Ld.. a80bddb6f464021d .....d..
Birthday bits
Identical
Dif ferences
Pref ixes
offset
0x0000
0x0008
0x0010
0x0018
0x0020
0x0028
0x0030
0x0038
0x0040
0x0048
0x0050
...
0x0238
0x0240
0x0248
0x0250
0x0258
0x0260
0x0268
0x0270
0x0278

View Slide

Shambles
- a CPC for Sha1
- Same layout as HashClash:
9 blocks, 12 birthday bits
Official PoCs: PGP
📏
⌛
‽
9 blocks
45K USD
Irrelevant
Shambles
187

View Slide

188

View Slide

All the known (implemented) collisions attacks on MD5
📏
⌛
‽
two blocks
a few minutes
in pref ix
📏
⌛
‽
two blocks
a few seconds
in the middle
FastColl
UniColl
📏
⌛
‽
HashClash
189
7-9 blocks
a few hours
irrelevant

View Slide

They all appends random-looking blocks with tiny differences.
No, there's no other kind of attacks!
Nothing like:
- ascii-only
- incomplete blocks
- modify in the middle
Common points of all these attacks
190

View Slide

In 2008, a CPC Attack used to create a rogue SSL certificate.
(200 PS3, signing at an exact second,
4 attempts, 2 days of computation each…)
-> MD5 was considered dead for good.
-> no incentive for any further research.
Only 3 attacks?
https://medium.com/@sleevi_/a-history-of-hard-choices-c1e1cc9bb089 191

View Slide

Exploitations
patterns
File
(prefix)
Comment
(padding)
Header
Body
(chunks)
Footer
Identical Prefix
Chosen Prefix
Reusable IPC
Reusable CPC
CPC
192

View Slide

Layout of a re-usable collision exploit
Alignment
Suffix
Pref ix
193

View Slide

a cryptographic hash
a toy function
MD5 is
...have fun!
194

View Slide

2964F721 7EEEF375 983F0420 725976C2
60101938 18BDD53D 332E8131 25244205
04D9B9CE 80FF0958 EB01DAD4 9A4DAA18
AD894BEB A3A824B2 C94DB974 378499C2
478D436C 255C79F3 A7B2A523 CBA811FB
D7D0C870 1F1C6B5F 6EEBDFDF 4BA0AD41
31D8B06A 020B9399 B897DB50 499C7713
879C2E0B DB0267DD FE27A567 DDA5487C
2964F721 7EEEF375 983F0420 725976C2
601019B8 18BDD53D 332E8131 25244205
04D9B9CE 80FF0958 EB01DAD4 9ACDAA18
AD894BEB A3A824B2 C94DB9F4 378499C2
478D436C 255C79F3 A7B2A523 CBA811FB
D7D0C8F0 1F1C6B5F 6EEBDFDF 4BA0AD41
31D8B06A 020B9399 B897DB50 491C7713
879C2E0B DB0267DD FE27A5E7 DDA5487C
4CFB0E37 5E7078A2 31260B95 4550524A
$ file selfmd5-release.zip
selfmd5-release.zip: Sega Mega Drive / Genesis ROM image: "TOY MD5 COLLIDER" (GM 00000000-00, (C) MAKO 2017 )
$
Mako's “Toy MD5 Collider” for the MegaDrive
dd49d7eb...
195

View Slide

It takes 2 hours
1988: Sega Mega Drive/Genesis - 1992: MD5
196

View Slide

197

View Slide

Other UniColl-based exploits
for other formats
For more, see https://github.com/corkami/collisions
198

View Slide

PDF
Merge both documents, split /Kids in 2 part showing pages sets separately.
Declare a /Catalog objects that has its /Pages as object 2.
0040: .. .. ./ .P .a .g .e .s . .2 . .0 . .R \n .%
The other file will have its pages referenced as object 3.
0040: .. .. ./ .P .a .g .e .s . .3 . .0 . .R \n .%
More details @ https://github.com/corkami/collisions#pdf
199

View Slide

JPEG f ile structure
Comment segment in JPG: FF FE
Scans can be bigger than 64 kb -> split them via saving as progressive
200

View Slide

201
JPG
Use a FF FE COMment segments for alignement, then a comment of length 0x77
0000: FF D8 FF FE-00 03 .. FF FE 00 77 .. .. .. .. ..
The other file will have a longer segment of 0x177.
0000: FF D8 FF FE-00 03 .. FF FE 01 77 .. .. .. .. ..
CF https://github.com/corkami/collisions#jpg
In JPG specifications,
Chunks are called segments

View Slide

202
MP4 (+JP2, HEIF…)
Use FREE atoms, for alignement then of length 0x79
0040: .. .. .. .. .. .. .. 00 00 00 79 .F .R .E .E ..
The other file will have a longer chunk of 0x179.
0040: .. .. .. .. .. .. .. 00 00 01 79 .F .R .E .E ..
Adjusting absolute (!) offsets in sample tables is required.
More details @ https://github.com/corkami/collisions#mp4-and-others
In MP4 specifications,
Chunks are called Atom/Boxes

View Slide

File
format
Comment
bit length
Generic
collision
FastColl UniColl Shattered HashClash
GZIP 16 ✓ ✓* ✓* ✓
PDF 32 ✓ ✓* ✓
JPG 16 ✓ ✓* ✓* ✓
PNG 32 ✓ ✓* ✓
MP4 32/64 ✓ ✓* ✓* ✓
PE N/A ✓ ✓
GIF 8 ✗ ✓ ✓
ZIP-based
(DOCX, 3MF)
16 ✓ ✓
ELF/TAR
Mach-O/Class
✗ ✓
* restrictions
203

View Slide

Exploiting FastColl
It seems hard, but not necessarily impossible.
It's a matter of finding the right file format.
(AKA aligning planets)
Extra
204

View Slide

00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50: 44 17 9B 70 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 CB BE 02
70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 88 31 5E 7A 1D
80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
90: 13 F2 BF 56 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 83 FB E0
00: .H .e .r .e . .i .s . .a . .f .i .l .e . .w
10: .i .t .h . .a . .f .e .w . .b .y .t .e .s 00
20: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
30: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
50: 44 17 9B F0 0A E0 D2 64 21 E2 38 E1 94 18 0A F6
60: 93 D2 B5 E4 FC 2F 3A 32 4F 50 46 01 F1 4B BF 02
70: 23 EE EF BF 92 B5 7C 29 D9 C5 66 08 31 5E 7A 1D
80: 2F 5A 9C 5C 12 8E DF F2 85 17 5B DD 67 25 05 78
90: 13 F2 BF D6 64 59 F2 C8 8B C3 00 6F 8B 5F 88 C6
A0: CB 3D 80 E4 9F 48 91 5E 34 06 D0 3A 8B 03 FB E0
B0: ED 18 67 0F C8 3A C9 A1 E7 48 F6 2A D2 5C 30 C0
Recap on FastColl
It’s just a matter of getting a format
to comply with the single byte differences.
Padding, for alignments
collision blocks’ randomness needs to be ignored
Differences need to be taken into account
Two contents need to coexist
⇤ ⇥
…‽…
…🛑?
205

View Slide

The Graphics Interchange Format
- FastColl based exploit: instant computation
- same dimensions and palettes, single frame.
- First image displayed for 10 minutes (each image is a different frame).
5c827c0eba9cfaa647c1a489bea77c60 *collision1.gif
/dʒɪf/ JIF
/ɡɪf/ GHIF
Specif ications from 1989
206

View Slide

Overview of the Graphics Interchange Format
207
- Punctuation delimited: ! , ;
- a frame can be made of several images
- header contains file palette & dimensions…
- Comments can only be later in the file, in extensions
-> no generic collisions for all GIFs

View Slide

More details
208
- A header, with dimensions and optional global palette
- Sequence of optional extensions and image data.
- comments are extensions.
- ImageData and Extension use the same SubBlocks structure .
- Global (file-wise) and local (image-wise) palettes can be too big.

View Slide

Structure lengths
7 bytes file-wide palette
(optional)
3-768 bytes Examples of extension:
- Graphical Control
defines delay between frames
- Comment
- Application
Defines looping
Image-wide palette
(optional)
3-768 bytes
SubBlocks-based
10 bytes
Variable-sized
(3-768 bytes)
Fixed size
209

View Slide

Specific structure for comments and image data in GIF:
Cut in chunks of 255 bytes max, starting with their length, until 00:
Examples of 2 equivalent comments:
07 .c .o .m .m .e .n .t
00
01 .c 04 .o .m .m .e 02 .n .t
00
GIF SubBlocks structures
210

View Slide

GIF SubBlocks impact
- can’t jump over anything longer than 255 bytes.
-> very restrictive
+ turns any non-null byte into a forward jump:
good for FastColl
211

View Slide

GIF data sled
Subblocks are common to image data and extensions (like comments):
- > extend comment to image data (turn pixels into comment)
Reliable w/ minor overhead.
212

View Slide

10 minutes delay
Graphical Control Extension:
Max delay between images
Long comment
Short comment
Common schema
213

View Slide

0330: .. .. .. ..-.. .. .. ..-.. .. .. ..-.. 21 FE 7B
0340: 7B 07 80 42-FF 65 E4 4E-1F 99 A0 E8-4D BC 59 EB
0350: E8 DA 58 CC-35 CF 2C 78-53 1E 79 D1-28 34 08 DA
0360: B5 DB FF C6-80 0F 3A 46-EF 0F FB 1C-F9 F1 E0 83
0370: CC FB ED 70-D9 21 A5 7D-0A A1 10 B6-A7 C5 6D E0
0380: 71 82 1F FA-AC 77 A9 12-DD 8E F2 14-9D 64 5B F8
0390: 3D 66 C5 AE-D3 97 8F 2B-6E B9 AB 4B-4B 1D A7 C1
03A0: A8 34 B5 2D-96 46 8A DE-A9 9C EF 18-6B 8C F8 08
03B0: 12 54 43 53-AD 8A 72 BA-19 83 66 B3-2F CF 85 FD
.... ...
7B 07 80 42-FF 65 E4 4E-1F 99 A0 E8-4D BC 59 EB
E8 DA 58 4C-35 CF 2C 78-53 1E 79 D1-28 34 08 DA
B5 DB FF C6-80 0F 3A 46-EF 0F FB 1C-F9 71 E0 83
CC FB ED 70-D9 21 A5 7D-0A A1 10 36-A7 C5 6D E0
71 82 1F FA-AC 77 A9 12-DD 8E F2 14-9D 64 5B F8
3D 66 C5 2E-D3 97 8F 2B-6E B9 AB 4B-4B 1D A7 C1
A8 34 B5 2D-96 46 8A DE-A9 9C EF 18-6B 0C F9 08
12 54 43 53-AD 8A 72 BA-19 83 66 33-2F CF 85 FD
Gif comment manipulation via FastColl
Chunk length: 0x33/0xB3
Def ines a comment
Chunk length: 0x7B
214

View Slide

GIF
Special chunk structure -> single byte = “jump”
Same structure used for data -> can use it to jump over image A.
Just put a delay for image A to display long enough.
After 10 minutes,
the images are identical. 215

View Slide

Common headers?
Headers include palette, dimensions:
-> use 2 images of same dimensions
-> normalize palette
Shortcut: merge them as 2 frames of the same animation,
with a comment, no looping, and maximum delay.
216

View Slide

GIF FastColl exploit
- combine 2 frames in a single animation with a comment.
- extend comment to align to 64 bytes
with a jump of 0x7B (points to the last difference in the collision blocks)
- compute FastColl
- append images suffix
- adjust comments to:
finish before first image: .! F9
slide into first image data : 08 FE
217

View Slide

Actual
example
218

View Slide

Alignment
6
00000300: [header palette ending...............] .! FE 2F
00000310: [comment for alignment.........................
...
00000330: ............................................ 7B
00000340: [collision block with its last difference......
00000350: at relative offset of 7B.......................
...
000003B0: ...............................] EA [..........
000003C0: [space to land to the shortest comment.........
000003D0: its length will vary, but......................
000003E0: the longest comment will always be 0x80 longer.
...
00000420: ................] 80 [..........................
...
000004A0: ................] 14 00 .! F9 04 00 FF FF FF 00
000004B0: 2C 00 00 00 00 F4 01 F4 01 00 08 FE 00 59 09 BC
SubBlocks
Image
Collision
blocks
Comment declaration
CF working script for reference 219

View Slide

Recap on GIF exploitation via FastColl
+ Comments are made of SubBlocks: declaration are separated from lengths.
-> compatible with FastColl (!)
- lengths are stored on a single byte -> can’t skip more than 255 bytes
+ image data is stored in SubBlocks too:
-> extend comment to image data*
+ use max delay (10 min) to the 1st frame to hide the 2nd one.
220
*A great idea from Marc Stevens

View Slide

Collision exploit
Instant GIF collision via FastColl
Certificate (hard)
Ange Albertini
INSTRUCTOR
COLLT IS
221

View Slide

FAQ
(FGA)
222

View Slide

Git doesn't use SHA-1 on files, but on objects.
https://git-scm.com/book/en/v2/Git-Internals-Git-Objects
SubVersion servers were unexpectedly broken.
Bittorrent indexes blocks with SHA-1.
-> Marc created a SHA-1 collision detection library
https://github.com/cr-marcstevens/sha1collisiondetection
What did SHA-1 break?
223

View Slide

What about SHA-2?
May 2019:
- MD5/SHA-1: "trivial".
- SHA-2: "clearly infeasible".
https://twitter.com/realhashbreaker/status/1128275424574832640
224

View Slide

Only f iles?
Protocols can also be attacked:
SLOT - CVE-2015-7575
Security Losses from Obsolete and Truncated Transcript Hashes
https://www.mitls.org/pages/attacks/SLOTH
Paper: Transcript Collision Attacks: Breaking Authentication in TLS, IKE, and SSH
225

View Slide

References
226

View Slide

227
2004: Dan Kaminsky: MD5 To Be Considered Harmful Someday
https://eprint.iacr.org/2004/357.pdf
https://dankaminsky.com/2004/12/06/46/
2004: Ondredj Mikle: Practical Attacks on Digital Signatures Using MD5 Message Digest
https://eprint.iacr.org/2004/356.pdf
IPC exploits papers
● 2005
Max Gebhardt, Georg Illies, Werner Schindler
A Note on the Practical Value of Single Hash Collisions for Special File Formats
● 2014 MalSHA1
Malicious Hashing: Eve’s Variant of SHA-1
Ange Albertini, Jean-Philippe Aumasson, Maria Eichlseder, Florian Mendel, Martin Schläffer
● 2017 Shattered
The first collision for full SHA-1
Marc Stevens, Elie Bursztein, Pierre Karpman, Ange Albertini, Yarik Markov
Slides a6cb4934...
Paper ac7a05b4...
Jean-Philippeʼs Slides aba7833e...
Paper 5c763e29...
Paper a3396362...
Marcʼs Crypto17 video
Elieʼs BlackHat slides video 1a17c315...
Pierre's RWC video slides 08e83064...
file format collaborator
instigator

View Slide

Current hash collision complexity
SHA1
MD5
IPC
265 2017 Stevens (Shattered) The first collision for full SHA-1
CPC
277 2013 Stevens New collision attacks on SHA-1
267 2019 Leurent From Collisions to Chosen-Prefix Collisions
IPC
216 2009 Stevens (FastColl) Short chosen-prefix collisions for MD5
CPC
239: 9 blocks 2009 Stevens (HashClash) Short chosen-prefix collisions for MD5
253: 1 block … …
246: 2 blocks 2019 Leurent From Collisions to Chosen-Prefix Collisions
228

View Slide

Hash collisions
in CTF
229

View Slide

MD5 collision on certificates by Enzo.
500 pts, 0 solves :(
HrefIn
230

View Slide

Looking Glass
MD5 collision on ProtoBuf by mlen.
330 pts, 11 solves.
231

View Slide

Acknowledgments
Research:
Marc Stevens
Workshop:
Barbie Auglend, Christophe Brocas, Philippe Teuwen.
Improvments:
Jean-Philippe Aumasson, Nicolas Grégoire, Enzo Puig, Mateusz Lenik,
Enrico Bacis.
232

View Slide

233
Thank you for making it this far!
Any feedback is welcome!
@angealbertini or ✉ [email protected]
233
LET’s PLAY
LET’s PLAY

View Slide

Colltris

Colltris

Ange Albertini

More Decks by Ange Albertini

Other Decks in Technology

Featured

Transcript