Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Schizophrenic files v2

Ange Albertini
September 05, 2014
Technology
0
850

Schizophrenic files v2

2 parsers, 1 file

This is an updated version of my collaboration with Gynvael Coldwind.

Presented at MRMCD 2014
MetaRheinMainConstructionDays
5th september 2014
HS Darmstadt, Germany

video: http://media.ccc.de/browse/conferences/mrmcd/mrmcd14/MRMCD2014_-_6008_-_en_-_grossbaustelle_ber_-_201409051930_-_schizophrenic_files_-_ange_albertini.html

Ange Albertini

September 05, 2014
Tweet

More Decks by Ange Albertini

See All by Ange Albertini
Overview of file type identifiers
ange
0
740
A question of time
ange
0
940
SBuD: InfoVis in InfoSec
ange
1
780
Generating Weird Files
ange
0
240
Technical challenges with file formats
ange
1
2.1k
Inside out - abusing archive file formats
ange
3
1.8k
Relations between archive formats
ange
0
1.9k
Beyond your studies v2
ange
2
900
Generating weird files
ange
0
3.4k

Other Decks in Technology

See All in Technology
ドメインの本質を掴む / Get the essence of the domain
sinsoku
2
150
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
610
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
410
Amazon Personalizeの レコメンドシステム構築、実際何するの? 〜大体10分で具体的なイメージをつかむ〜
kniino
1
100
スクラム成熟度セルフチェックツールを作って得た学びとその活用法
coincheck_recruit
1
140
AGIについてChatGPTに聞いてみた
blueb
0
130
【若手エンジニア応援LT会】ソフトウェアを学んできた私がインフラエンジニアを目指した理由
kazushi_ohata
0
150
第1回 国土交通省 データコンペ参加者向け勉強会③ - Snowflake x estie編 -
estie
0
130
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
The Role of Developer Relations in AI Product Success.
giftojabu1
0
120
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
透過型SMTPプロキシによる送信メールの可観測性向上: Update Edition / Improved observability of outgoing emails with transparent smtp proxy: Update edition
linyows
2
210

Featured

See All Featured
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
16
2.1k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Designing Experiences People Love
moore
138
23k
ReactJS: Keep Simple. Everything can be a component!
pedronauck
665
120k
What's in a price? How to price your products and services
michaelherold
243
12k
Faster Mobile Websites
deanohume
305
30k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
26
2.1k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
8
860
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
93
16k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Build The Right Thing And Hit Your Dates
maggiecrowley
33
2.4k

Transcript

  1. Schizophrenic files Ange Albertini MetaRheinMainConstructionDays MRMCD 5-7 september 2014 HS

    Darmstadt www.mrmcd.net 2014/09/05

  2. Gynvael Coldwind Security researcher,Google Dragon Sector captain likes hamburgers http://gynvael.coldwind.pl/

    This talk is a collaboration with:

  3. Ange Albertini reverse engineering & visual documentations @angealbertini [email protected] http://www.corkami.com

  4. None

  5. 1 file, 2 programs ⇒ 2 different contents No active

    detection of the program in the file

  6. Fooling, not failing Both programs will load the file correctly:

    No reported warning or error, no exploitation.

  7. Abusing parsers for • fun • bypassing security ◦ same-origin

    policy ◦ evade detection ◦ exfiltration ◦ signing ▪ Android Master Key

  8. ZIP

  9. excerpt from Gynvael's talk: "Dziesięć tysięcy pułapek: ZIP, RAR, etc."

    (http://gynvael.coldwind.pl/?id=523)

  10. ZIP archives

  11. ZIP structures are parsed from the end.

  12. File names are actually duplicated.

  13. Why this weird structure?

  14. ZIP archives were commonly read & written on the fly

    over multiple floppies.

  15. • creation a. create one LFH per file Floppy full

    ⇒ start a new LFH on the next floppy b. when all files are finished, write CDs sequence (1/file) c. when all CDs are written, write the EoCD • extraction a. insert last floppy (contains the EoCD) b. insert the floppy with 1st CD (often, the last floppy contains EoCD + all CDs) c. insert the corresponding LFH’s first floppy insert next floppies if required Minimize floppy swaps

  16. ZIP was very useful, but now it’s awkward. Newer archive

    formats are parsed top-down.

  17. Position in the file

  18. Prepended and appended data is tolerated...

  19. ...but not too much! (for obvious performance reason)

  20. Duplicating the (relatively small) EoCD increases compatibility.

  21. Scanning direction

  22. If you concatenate 2 archives...

  23. ...if you parse bottom-up (standard), you find the 2nd one...

  24. ...but you will get the other archive if you parse

    top-down.

  25. Superfluous headers

  26. You could parse everything nicely...

  27. ...but in the end, only the Local File Headers matter.

  28. 1 file = 1 Local File Header

  29. Since most ZIP archives start with a sequence of Local

    File Headers...

  30. You can parse them top-down (until a break) and ignore

    the CD and EoCD.

  31. Standard parsing: bottom-up + all headers

  32. “Efficient” parsing: top-down + LFHs only Not standard, but good

    enough in most cases.

  33. Nowadays, most ZIPs are a sequence of LFHs from the

    start

  34. ZIP Archive comment

  35. The EoCD contains an optional comment field...

  36. ...that can contain a complete archive !

  37. • Parsing direction: ◦ standard is bottom-up ◦ parsing LFHs

    from the start would work in most cases • ZIP should be located near the end of the file ◦ or at least, its EoCD • An archive comment can contain another complete archive Recap

  38. Let's test the parsers! abstract.zip

  39. 4 LFHs, 4 ways to parse this archive:

  40. 1/ you parse it bottom-up

  41. 2/ you parse it top-down

  42. 3/ look for LFHs from the start (until a break)

  43. 4/ scan for LFHs aggressively (you get all four)

  44. Portable Document File

  45. http://youtu.be/JQrBgVRgqtc?t=11m15s https://speakerdeck.com/ange/pdf-secrets-hiding-and-revealing-secrets-in-pdf-documents?slide=44

  46. None

  47. PDF Trick #1 trailers

  48. trailer ⇒ root object ⇒ complete document

  49. … … … a line comment - a correct trailer

    - a corrupted trailer

  50. Each reader sees a different trailer.

  51. PDF parsing Each reader sees a completely different document 3

    co-existing documents, all parsed through Viewers tolerance makes foreign elements ignored

  52. Also available in PDF/A flavor (OK for Adobe Reader, but

    not for Preflight)

  53. sometimes, it’s in the specs... ...but who knows all of

    them ? (obscurity via over-specification)

  54. Notice anything unusual?

  55. This document contains layers. (an advanced feature)

  56. What you see is not what you’ll get...

  57. “Optional Content Configuration” • principles ◦ define layered content via

    various /Forms ◦ enable/disable layers on viewing/printing • no warning when printing • “you can see the preview!” ◦ bypass preview by keeping page 1 unchanged ◦ just do a minor change in the file PDF Layers 1/2

  58. • it’s Adobe only ◦ what’s displayed varies with readers

    ◦ could be hidden via previous schizophrenic trick • it was in the specs all along ◦ very rarely used ◦ can be abused with no warning PDF Layers 2/2

  59. BMP

  60. BMP A pointer to some information that usually comes next…

    What could go wrong...

  61. BMP Trick #1: ignoring the data pointer getting data right

    after the header getting data via the pointer (standard)

  62. Trick #2: Run-Length Encoding

  63. BMP RLE trick RLE structure (each box is 1 byte)

    Length >0 Palette Index (color) Length 0 End of Line 0 Length 0 End of Bitmap 1 Length 0 Move Cursor 2 X offset Y offset Length 0 RAW Length >2 Palette Index (color) Palette Index (color) ...

  64. BMP RLE trick If you just skip pixels, what is

    their color? Length 0 End of Line 0 Length 0 End of Bitmap 1 Length 0 Move Cursor 2 X offset Y offset

  65. Option 1 The missing data will be filled with background

    color. (palette index 0)

  66. Option 2 The missing data will be black.

  67. Option 3 The missing data will be transparent.

  68. PNG Portable Network Graphics

  69. Combined data + 2 palettes Same data chunk combining 2

    images via 2 palettes cute PoC by @reversity “There shall not be more than one PLTE chunk”

  70. Different images depending on which PLTE chunk is used

  71. Portable Executable

  72. PE = complex + badly documented • fail or fool

    external tools ? too easy... • fooling Windows is much harder: ◦ Windows’ loader usually closes holes ⇒ older PEs just not working anymore the PE Loader

  73. PE Trick #1 Data directory loading order

  74. Pointing TLS’ AddressOfIndex to an Import descriptor

  75. W7: TLS is loaded first ⇒ AoI’s address set to

    0 ⇒ Imports descriptors’s sequence is truncated before loading

  76. XP: Imports are loaded first - all descriptors are parsed

    TLS is then parsed - descriptors are not relevant anymore

  77. PE Trick #2 Relocations

  78. Relocations: patching absolute addresses to solve address space conflicts

  79. W8 Vista XP Relocations types Type 4 HIGH_ADJ -- --

    ✓ Type 9 MIPS_JMPADDR16 IA64_IMM64 MACHINE_SPEC_9 32 bit 64 bit ✗

  80. Relocations on relocations Type 4 HIGH_ADJ -- -- ✓ Type

    9 MIPS_JMPADDR16 IA64_IMM64 MACHINE_SPEC_9 32 bit 64 bit ✗ Type 10 DIR64 ✓ ✓ ✓ as seen in PoC ||G TFO #1

  81. Relocation-based PE Schizophren

  82. Julian Bangert, Sergey Bratus -- ELF Eccentricities https://www.youtube.com/watch?v=4LU6N6THh2U

  83. GIF

  84. GIF A GIF is made of blocks. if no animation

    speed is defined, they should all be displayed at once.

  85. GIF If a frame speed is defined, then: first block

    = background next blocks = animation frames Background (from block 1) Frame 1 (with block 2) Frame 2 (with block 3)

  86. GIF Frame 1 Frames 2-10001 1x1 px Frame 10002 1

    complete pic + 10.000 pixels + 1 complete pic

  87. Forcing animation (even if no frame speed is defined) Displaying

    all blocks at once (standard)

  88. same-tool schizophrenia 1 file + 1 tool = 2 behaviors

    (in different sub-components)

  89. Because it was too simple... • WinRar: viewing ⇔ extracting

    ◦ opening/failing ◦ opening/’nothing’ • Adobe: viewing ⇔ printing ◦ well, it’s a feature

  90. Failures & Ideas

  91. Failures & Ideas • screen ⇔ printer ◦ embedded color

    profiles? • JPG ◦ IrfanView vs the world • Video ◦ FLV: early data pointer, like BMP PoC: video fails but plays sound

  92. PNG Various ancillary chunks (rendering level) • partially supported: ◦

    gamma ◦ transparency (for palettes) • never supported? ◦ significant bits ◦ chromacities • always supported? ◦ physical size

  93. Conclusion

  94. We tend to take our own shortcuts.

  95. Conclusion • such a mess ◦ specs are messy ▪

    unclear ▪ historical reasons ◦ parsers don’t even respect them (particularly when there is an easy shortcut) ◦ official tools “forced” to be tolerant ▪ They’re even trying to repair corrupted files (!) • no CVE/blaming for parsing errors? ◦ no security bug if no crash or exploit :(

  96. Schizophrenia symptoms • different parsing (seeing different data) ◦ BMP:

    ignoring data pointer ◦ ZIP: different parsing algorithm & directions ◦ PE: different data directory loading order ◦ PDF: different trailer parsing • different interpretation (same data) ◦ GIF: ignoring animation speed ◦ BMP RLE: using different default color ◦ PE: different relocations implementation ◦ PNG: using different palette ◦ PDF: conditional layers

  97. ACK @gynvael @reversity @travisgoodspeed @sergeybratus qkumba @internot @pdfkungfoo @j00ru ise

    ds vx, Mulander Felix Groebert, Salvation

  98. @angealbertini corkami.com Damn, that's the second time those alien bastards

    shot up my ride!