SlideShare una empresa de Scribd logo

A binary chimera - 3 headers & 1 data body in a single file

Ange Albertini
Ange Albertini

3 headers & 1 data body in a single file

TecnologíaArte y fotografía
1 de 22
Descargar para leer sin conexión
a binary chimera 3 headers & 1 data body in a single file Ange Albertini, March 2014
chimera kʌɪˈmɪərə,kɪ-/ noun 1. (in Greek mythology) a fire-breathing female monster with a lion's head, a goat's body, and a serpent's tail.
what is it ? a file that is: ● a JPG ● a PDF ● a ZIP
that’s all? is it just 3 stacked formats ? if only >:-)
a binary chimera the image data is present only once: all 3 file formats rely on the same body. 1 data body, 3 different headers (PDF/ZIP/JPG) → chimera
why? ● why not! ● just a PoC for me ○ but maybe a fixed bug for you it shows that ● too many file format specs suck! ○ which decreases our security
starting ideas ● PDF can use unmodified JPG files ○ we just need to duplicate the JPG header ○ and trick the JPG header to find its data ‘further’ than expected ● ZIP can store data unmodified ○ we just need to trick ZIP structure to find its file data within the PDF
magic signature ● JPEG FF D8 offset 0 ● PDF %PDF-1.x within range 0-1024 ● ZIP PKx03x04 anywhere → our file starts with FF D8 at offset 0 we need to ‘hide’ the rest
hiding PDF/ZIP data from JPEG ● JPEG is chunk-based (called segments) → add comment segments to cover PDF/ZIP syntax: FF FE <length:+2> <data>
hiding JPEG/ZIP data from PDF ● PDF is not parsed until signature is met → the JPEG header is ignored ● PDF is object-based ● dummy stream objects to cover ZIP/JPG
PDF stream object <unused number> 0 obj <<>> stream <data> endstream endobj
Problem: in a ZIP, data is following LocalFileHeader start of PDF image object overlaps LocalFileHeader :( Solution: ZIP contains 2 filenames entries: ● in CentralDirectory (important one) ● in each LocalFileHeader (discardable) → abused LFH’s filename to overlap PDF object start (not 100% compatible)
elegance++ ● cover extra data after JPEG end with superfluous comment segment ● covert extra PDF data by extending ZIP archive comment (in EoCD)
summary
icing on the cake ● all written by hand ● generated in ASM ● not specific to my JPEG/PDF/ZIP data as usual ;)
partial failure not fully “compatible” ● ZIP LFH name corrupted :( ○ 7z, ZipFile don’t support it ● Adobe Reader blacklists JPEGs-starting PDFs → need to slightly corrupt JPEG header → some JPEG viewers don’t support it :( JPEG corrupted to let PDF open under Adobe easy to fix, would break Adobe
Conclusion ● yet another kind of file format puzzle ○ new? ● chimeras aren’t legend anymore :p ● source & PoC ○ http://corkami.googlecode.com/svn/trunk/src/chimera
ACK Binary masters ● Julia Wolf, Jonas Magazinius, Gynvael Coldwind PoC||GTFO neighbors ● Travis Goodspeed, Sergey Bratus Feedbackers ● @munin @LeBurek @rfc1459 @InfoSec208 Promising jedi ;) ● Dominique Bongard
Questions/suggestions? @angealbertini
Want more? read PoC||GTFO !

Recomendados

Translating WordPress themes and plugins WordCamp Bhopal 2015
Translating WordPress themes and plugins WordCamp Bhopal 2015Translating WordPress themes and plugins WordCamp Bhopal 2015
Translating WordPress themes and plugins WordCamp Bhopal 2015Swapnil Patil
 
sphinx-i18n — The True Story
sphinx-i18n — The True Storysphinx-i18n — The True Story
sphinx-i18n — The True StoryRobert Lehmann
 
Documentation with Sphinx
Documentation with SphinxDocumentation with Sphinx
Documentation with SphinxAkshay Mathur
 
File operations
File operationsFile operations
File operationsPrabhatKumarChaudhar2
 
Binary Analysis - Luxembourg
Binary Analysis - LuxembourgBinary Analysis - Luxembourg
Binary Analysis - LuxembourgAbhik Roychoudhury
 
Schizophrenic files v2
Schizophrenic files v2Schizophrenic files v2
Schizophrenic files v2Ange Albertini
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs factsAnge Albertini
 
Advanced Pdf Tricks
Advanced Pdf TricksAdvanced Pdf Tricks
Advanced Pdf TricksAnge Albertini
 

Recomendados

Translating WordPress themes and plugins WordCamp Bhopal 2015
Translating WordPress themes and plugins WordCamp Bhopal 2015Translating WordPress themes and plugins WordCamp Bhopal 2015
Translating WordPress themes and plugins WordCamp Bhopal 2015Swapnil Patil
 
sphinx-i18n — The True Story
sphinx-i18n — The True Storysphinx-i18n — The True Story
sphinx-i18n — The True StoryRobert Lehmann
 
Documentation with Sphinx
Documentation with SphinxDocumentation with Sphinx
Documentation with SphinxAkshay Mathur
 
File operations
File operationsFile operations
File operationsPrabhatKumarChaudhar2
 
Binary Analysis - Luxembourg
Binary Analysis - LuxembourgBinary Analysis - Luxembourg
Binary Analysis - LuxembourgAbhik Roychoudhury
 
Schizophrenic files v2
Schizophrenic files v2Schizophrenic files v2
Schizophrenic files v2Ange Albertini
 
PDF: myths vs facts
PDF: myths vs factsPDF: myths vs facts
PDF: myths vs factsAnge Albertini
 
Advanced Pdf Tricks
Advanced Pdf TricksAdvanced Pdf Tricks
Advanced Pdf TricksAnge Albertini
 
Messing with binary formats
Messing with binary formatsMessing with binary formats
Messing with binary formatsAnge Albertini
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formatsAnge Albertini
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic filesAnge Albertini
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Area41
 
PDF - Secrets - 140519092839-phpapp01
PDF - Secrets - 140519092839-phpapp01PDF - Secrets - 140519092839-phpapp01
PDF - Secrets - 140519092839-phpapp01dumbfuckery
 
PDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsPDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsAnge Albertini
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)Ange Albertini
 
Funky file formats - 31c3
Funky file formats - 31c3Funky file formats - 31c3
Funky file formats - 31c3Ange Albertini
 
Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formatsAnge Albertini
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formatsAnge Albertini
 
TimeCryption
TimeCryptionTimeCryption
TimeCryptionAnge Albertini
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiotAnge Albertini
 
Improving file formats
Improving file formatsImproving file formats
Improving file formatsAnge Albertini
 
KILL MD5
KILL MD5KILL MD5
KILL MD5Ange Albertini
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!Ange Albertini
 
Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studiesAnge Albertini
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscapeAnge Albertini
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formatsAnge Albertini
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisionsAnge Albertini
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failuresAnge Albertini
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communitiesAnge Albertini
 

Más contenido relacionado

Similar a A binary chimera - 3 headers & 1 data body in a single file

Messing with binary formats
Messing with binary formatsMessing with binary formats
Messing with binary formatsAnge Albertini
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formatsAnge Albertini
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Area41
 
PDF - Secrets - 140519092839-phpapp01
PDF - Secrets - 140519092839-phpapp01PDF - Secrets - 140519092839-phpapp01
PDF - Secrets - 140519092839-phpapp01dumbfuckery
 
PDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsPDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsAnge Albertini
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)Ange Albertini
 
Funky file formats - 31c3
Funky file formats - 31c3Funky file formats - 31c3
Funky file formats - 31c3Ange Albertini
 

Similar a A binary chimera - 3 headers & 1 data body in a single file (8)

Messing with binary formats
Messing with binary formatsMessing with binary formats
Messing with binary formats
 
Caring for file formats
Caring for file formatsCaring for file formats
Caring for file formats
 
Schizophrenic files
Schizophrenic filesSchizophrenic files
Schizophrenic files
 
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks...
 
PDF - Secrets - 140519092839-phpapp01
PDF - Secrets - 140519092839-phpapp01PDF - Secrets - 140519092839-phpapp01
PDF - Secrets - 140519092839-phpapp01
 
PDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documentsPDF secrets - hiding & revealing secrets in PDF documents
PDF secrets - hiding & revealing secrets in PDF documents
 
Trusting files (and their formats)
Trusting files (and their formats)Trusting files (and their formats)
Trusting files (and their formats)
 
Funky file formats - 31c3
Funky file formats - 31c3Funky file formats - 31c3
Funky file formats - 31c3
 

Más de Ange Albertini

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formatsAnge Albertini
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formatsAnge Albertini
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formatsAnge Albertini
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiotAnge Albertini
 
Improving file formats
Improving file formatsImproving file formats
Improving file formatsAnge Albertini
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscapeAnge Albertini
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formatsAnge Albertini
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisionsAnge Albertini
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communitiesAnge Albertini
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionistAnge Albertini
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF fileAnge Albertini
 
An overview of potential leaks via PDF
An overview of potential leaks via PDFAn overview of potential leaks via PDF
An overview of potential leaks via PDFAnge Albertini
 
Preserving arcade games - 31c3
Preserving arcade games - 31c3Preserving arcade games - 31c3
Preserving arcade games - 31c3Ange Albertini
 
Preserving arcade games
Preserving arcade gamesPreserving arcade games
Preserving arcade gamesAnge Albertini
 

Más de Ange Albertini (20)

Technical challenges with file formats
Technical challenges with file formatsTechnical challenges with file formats
Technical challenges with file formats
 
Relations between archive formats
Relations between archive formatsRelations between archive formats
Relations between archive formats
 
Abusing archive file formats
Abusing archive file formatsAbusing archive file formats
Abusing archive file formats
 
TimeCryption
TimeCryptionTimeCryption
TimeCryption
 
You are *not* an idiot
You are *not* an idiotYou are *not* an idiot
You are *not* an idiot
 
Improving file formats
Improving file formatsImproving file formats
Improving file formats
 
KILL MD5
KILL MD5KILL MD5
KILL MD5
 
No more dumb hex!
No more dumb hex!No more dumb hex!
No more dumb hex!
 
Beyond your studies
Beyond your studiesBeyond your studies
Beyond your studies
 
An introduction to inkscape
An introduction to inkscapeAn introduction to inkscape
An introduction to inkscape
 
The challenges of file formats
The challenges of file formatsThe challenges of file formats
The challenges of file formats
 
Exploiting hash collisions
Exploiting hash collisionsExploiting hash collisions
Exploiting hash collisions
 
Infosec & failures
Infosec & failuresInfosec & failures
Infosec & failures
 
Connecting communities
Connecting communitiesConnecting communities
Connecting communities
 
TASBot - the perfectionist
TASBot - the perfectionistTASBot - the perfectionist
TASBot - the perfectionist
 
Hacks in video games
Hacks in video gamesHacks in video games
Hacks in video games
 
Let's write a PDF file
Let's write a PDF fileLet's write a PDF file
Let's write a PDF file
 
An overview of potential leaks via PDF
An overview of potential leaks via PDFAn overview of potential leaks via PDF
An overview of potential leaks via PDF
 
Preserving arcade games - 31c3
Preserving arcade games - 31c3Preserving arcade games - 31c3
Preserving arcade games - 31c3
 
Preserving arcade games
Preserving arcade gamesPreserving arcade games
Preserving arcade games
 

Último

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 

Último (20)

Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 

A binary chimera - 3 headers & 1 data body in a single file

  • 1. a binary chimera 3 headers & 1 data body in a single file Ange Albertini, March 2014
  • 2. chimera kʌɪˈmɪərə,kɪ-/ noun 1. (in Greek mythology) a fire-breathing female monster with a lion's head, a goat's body, and a serpent's tail.
  • 3.
  • 4. what is it ? a file that is: ● a JPG ● a PDF ● a ZIP
  • 5. that’s all? is it just 3 stacked formats ? if only >:-)
  • 6. a binary chimera the image data is present only once: all 3 file formats rely on the same body. 1 data body, 3 different headers (PDF/ZIP/JPG) → chimera
  • 7. why? ● why not! ● just a PoC for me ○ but maybe a fixed bug for you it shows that ● too many file format specs suck! ○ which decreases our security
  • 8. starting ideas ● PDF can use unmodified JPG files ○ we just need to duplicate the JPG header ○ and trick the JPG header to find its data ‘further’ than expected ● ZIP can store data unmodified ○ we just need to trick ZIP structure to find its file data within the PDF
  • 9. magic signature ● JPEG FF D8 offset 0 ● PDF %PDF-1.x within range 0-1024 ● ZIP PKx03x04 anywhere → our file starts with FF D8 at offset 0 we need to ‘hide’ the rest
  • 10. hiding PDF/ZIP data from JPEG ● JPEG is chunk-based (called segments) → add comment segments to cover PDF/ZIP syntax: FF FE <length:+2> <data>
  • 11. hiding JPEG/ZIP data from PDF ● PDF is not parsed until signature is met → the JPEG header is ignored ● PDF is object-based ● dummy stream objects to cover ZIP/JPG
  • 12. PDF stream object <unused number> 0 obj <<>> stream <data> endstream endobj
  • 13. Problem: in a ZIP, data is following LocalFileHeader start of PDF image object overlaps LocalFileHeader :( Solution: ZIP contains 2 filenames entries: ● in CentralDirectory (important one) ● in each LocalFileHeader (discardable) → abused LFH’s filename to overlap PDF object start (not 100% compatible)
  • 14. elegance++ ● cover extra data after JPEG end with superfluous comment segment ● covert extra PDF data by extending ZIP archive comment (in EoCD)
  • 16.
  • 17. icing on the cake ● all written by hand ● generated in ASM ● not specific to my JPEG/PDF/ZIP data as usual ;)
  • 18. partial failure not fully “compatible” ● ZIP LFH name corrupted :( ○ 7z, ZipFile don’t support it ● Adobe Reader blacklists JPEGs-starting PDFs → need to slightly corrupt JPEG header → some JPEG viewers don’t support it :( JPEG corrupted to let PDF open under Adobe easy to fix, would break Adobe
  • 19. Conclusion ● yet another kind of file format puzzle ○ new? ● chimeras aren’t legend anymore :p ● source & PoC ○ http://corkami.googlecode.com/svn/trunk/src/chimera
  • 20. ACK Binary masters ● Julia Wolf, Jonas Magazinius, Gynvael Coldwind PoC||GTFO neighbors ● Travis Goodspeed, Sergey Bratus Feedbackers ● @munin @LeBurek @rfc1459 @InfoSec208 Promising jedi ;) ● Dominique Bongard