Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Funky File Formats - 31c3

Funky File Formats - 31c3

Ange Albertini

December 29, 2014
Tweet

More Decks by Ange Albertini

Other Decks in Technology

Transcript

  1. AES K ( ) If you encrypt the original file

    with AES again, but with a different key... 2
  2. 1 3DES So, as you can see, I’m just a

    normal guy (who likes to play with binary). AES K AES K JPG JAR (ZIP + CLASS) PDF FLV PNG 2
  3. “Magic” signatures, enforced at offset 0 Obvious PE\0\0 \x7FELF BPG\xFB

    \x89PNG\x0D\x0A\x1A\x0A dex\n035\0 RAR\x1a\7\0 BZ GIF89a BM RIFF Egocentric MZ (DOS header) Mark Zbikowski PK\3\4 (ZIP) Philip Katz BPG\xFB Fabrice Bellard Not obvious, but l33tsp34k ^_^ CAFEBABE Java / universal (old) Mach-O DOCF11E0 Office FEEDFACE Mach-O FEEDFACF Mach-O (64b) Specific logic TIFF: II Intel (little) endianness MM Motorola (big) endianness Flash: FWS ShockWave Flash (Flat) CWS (zlib) compressed ZWS LZMA compressed Not obvious GZip 1F 8B JPG FF D8
  4. File formats not enforcing signature at offset 0 (ZIP is

    used in many formats: APK, ODT, DOCX, JAR…) not enforcing signature at offset 0: ZIP, 7z, RAR, HTML actually enforcing signature at offset 0: bzip2, GZip
  5. Hardware-bound formats: code/data at offset 0 ‘header’ often (optionally) later

    in the memory space • TAR: Tape Archive • Disk images: ISO, Master Boot Record • TGA (image) • (Console) roms
  6. It’s a complete cow (you can see its whole body),

    with something next: appending something doesn’t invalidate the start.
  7. formats not enforced at offset 0 + tolerating appended data

    = polyglots by concatenation ZIP HTML PDF PE
  8. If a cow keeps a frog in its mouth, it

    can also speak 2 languages! (the outer leaves space for an inner)
  9. ...if our cow swallows a microSD, it’s still a valid

    cow! Even if it contains foreign data, that is tolerated by the system.
  10. the PDF part is stored in a Java buffer 2

    infection chains in one file:
  11. $ unzip -l pocorgtfo06.pdf Archive: pocorgtfo06.pdf warning [pocorgtfo06.pdf]: 10672929 extra

    bytes at... (attempting to process anyway) Length Date Time Name --------- ---------- ----- ---- 4095 11/24/2014 23:44 64k.txt 818941 08/18/2014 23:28 acsac13_zaddach.pdf 4564 10/05/2014 00:06 burn.txt 342232 11/24/2014 23:44 davinci.tgz.dvs 3785 11/24/2014 23:44 davinci.txt 5111 09/28/2014 21:05 declare.txt 0 08/23/2014 19:21 ecb2/ PoC||GTFO 0x6: TAR || PDF || ZIP $ tar -tvf pocorgtfo06.pdf -rw-r--r-- Manul/Laphroaig 0 2014-10-06 21:33 %PDF-1.5 -rw-r--r-- Manul/Laphroaig 525849 2014-10-06 21:33 1.png -rw-r--r-- Manul/Laphroaig 273658 2014-10-06 21:33 2.bmp
  12. Farmer got denied permit to build a horse shelter. So

    he builds a giant table & chairs which don’t need a permit.
  13. This is how another dev sees a cow ! (this

    one: brazilian beef cut - previous: french beef cut)
  14. a schizophrenic PDF: 3 different trailers, seen by 3 different

    readers commented line missing trailer keyword
  15. a (generated) PDF || PE || JAR [JAVA+ZIP] || HTML

    polyglot... PDF viewer PDF slides
  16. $ du -h stringme 141 stringme $ strings stringme Segmentation

    fault (core dumped) Extra problem: parsers can be present in unexpected places http://lcamtuf.blogspot.de/2014/10/psa-dont-run-strings-on-untrusted-files.html (CVE-2014-8485)
  17. an encrypted file is not always “encrypted” ⇒ encrypt(file) is

    not always “random” encrypt(file) can be valid
  18. .D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B .C.D.E.F.].E.N.D .T.E.X.T0A.t.h.i.s. .i.s. .a. .t .e.x.t0A ? We want

    to encrypt a DATA file to a TEXT file. DATA tolerates appended data after it’s END marker TEXT accepts /* */ comments chunk (think ‘parasite in a host’)
  19. .D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B .C.D.E.F.].E.N.D .T.E.X.T./.* <ignored random rest> We can’t control the

    rest of the garbage… so let’s put a comment start in the first block +IV2
  20. .D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B .C.D.E.F.].E.N.D .T.E.X.T./.* <ignored random rest> .*./0A.t.h.i.s. .i.s. .a. .t

    .e.x.t0A If we close the comment and append the target file’s data in the encrypted file. then this file is valid and equivalent to our initial target.
  21. .D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B .C.D.E.F.].E.N.D <pre-decrypted ignored random> .T.E.X.T./.* <ignored random rest> .*./0A.t.h.i.s.

    .i.s. .a. .t .e.x.t0A ...then we decrypt that file: we get the original source file, with some random data, that will be ignored since it’s appended data. +IV2
  22. .D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B .C.D.E.F.].E.N.D <pre-decrypted ignored random> .T.E.X.T./.* <ignored random rest> .*./0A.t.h.i.s.

    .i.s. .a. .t .e.x.t0A Since AES CBC only depends on previous blocks, this DATA file will indeed encrypt to a TEXT file. +IV2
  23. 00: 4441 5441 5b31 3233 3435 3637 3839 4142 DATA[123456789AB

    10: 4344 4546 5d45 4e44 0000 0000 0000 0000 CDEF]END........ 20: f6fe 17cf 0802 7449 58de cdf2 f9c4 45ce ......tIX.....E. 30: 2e8e 6996 5854 824c c09c 1b7d 4898 a29e ..i.XT.L...}H... openssl enc -aes-128-cbc -nopad -K `echo OurEncryptionKey|xxd -p` -iv A37A69F13417F5AB3CC4A1546B97FD76 00: 5445 5854 2f2a 0000 0000 0000 0000 0000 TEXT/*.......... 10: 3f81 11a9 2540 ded5 096a 83c9 f191 d8bb ?...%@...j...... 20: 2a2f 0a74 6869 7320 6973 2061 2074 6578 */.this is a tex 30: 740a 454e 4400 0000 0000 0000 0000 0000 t.END........... You can even try it at home :)
  24. BMP let us define bit masks for each color: 32

    bits: 0000000000000000rrrrrggggggbbbbb (no alpha) ⇒ 16 bits of free space!
  25. 1. store sound in the lower 16 bits: sound ignored

    by BMP image data too low to be audible 2. store a picture encoded as sound ◦ viewable as spectrogram http://wiki.yobi.be/wiki/BMP_PCM_polyglot Consider the BMP as RAW 32b PCM
  26. ...with an unused palette palette picture data = each byte

    is an index in the palette in theory, it could be used:
  27. How to make a pic-ception adjust each RGB value to

    the closest palette index ⇒ store a second picture with the same data…. (original idea by @reversity)
  28. We get another picture of the same type from the

    same data! BTW, that’s a barcode inception: a DataMatrix barcode inside a QRCode, both valid https://www.iseclab.org/people/atrox/qrinception.pdf
  29. Hash collisions This is the actual SHA-1 with only 4

    of its 5 constants modified This doesn’t give a collision in the actual SHA-1
  30. 2 colliding blocks: mostly random and unpredictable At most three

    consecutive bytes without a difference. Typically, in every dword, only the middle two bytes have no differences.
  31. Even songs should also have a nice PoC (never forget

    to load your PDFs in your favorite NES emulator)
  32. Ange’s recipes :) Never forget to: • open your PDFs

    in a hex editor • open your pictures in a sound player • run your documents in a console emulator • encrypt/decrypt with any cipher • double-check what you printed
  33. F.F.F. conclusion • many abuses of the specs ◦ specs

    often are wrong or misleading • few parsers, even fewer dissectors • standard tools evolve the wrong way ◦ try to repair ‘corrupted’ file outside the specs ◦ standard and recovery mode For technical details, check my previous talks.
  34. ACK @doegox @pdfkungfoo @veorq @reversity @travisgoodspeed @sergeybratus qkumba @internot @gynvael

    @munin @solardiz @0xabadidea @ashutoshmehra lytron @JacobTorrey @thicenl …and anybody who gave me feedback!
  35. Bonus after the talk, we tried some PoCs on professional

    (very expensive!) forensic softwares: • polyglot files ◦ a single file format found + no warning whatsoever • schizophrenic files: ◦ no warning yet different tabs of the same software showing different content :D BIG FAIL - yet we trust them for court cases ?
  36. ** *this is a valid.. ** Albertini ...TAR & Adobe

    PDF: PoC or ____ _____ _____ ___ _ / ___|_ _| ___/ _ \ | | | | _ | | | |_ | | | ||_| | |_| | | | | _|| |_| | _ \____| |_| |_| \___/ |_| %PDF-1. trailer<</Root<</Pages<<>>>>>> The initial abstract of this talk: ASCII-only, PDF/TAR polyglot
  37. Solar Designer made a great keynote - that’s actually a

    real game to play! But one have to load and play through the game - not so accessible! http://openwall.com/presentations/ZeroNights2014-Is-Infosec-A-Game/
  38. $ unzip -t ZeroNights2014-Is-Infosec-A-Game.pdf Archive: ZeroNights2014-Is-Infosec-A-Game.pdf warning [ZeroNights2014-Is-Infosec-A-Game.pdf]: 6381506 extra

    bytes (attempting to process anyway) testing: ZN14GAME/ OK testing: ZN14GAME/COMMON/ OK ... a PDF: • containing the game as ZIP • hand-written ◦ with walkthrough’s screenshots (in original resolution) ◦ a lightweight title ◦ while maintaining compatibility a good way to distribute as a single file!