funky file formats - 31c3
TRANSCRIPT
![Page 1: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/1.jpg)
Funky file FormatsAnge Albertini
2014/12 - 31C3
FunkyFileFormats
![Page 2: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/2.jpg)
Ange Albertinireverse engineering & visual documentations@[email protected]://www.corkami.com
![Page 3: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/3.jpg)
So, this talk is about files… what are the usual files’ categories?
![Page 4: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/4.jpg)
It depends if you’re a newbie, a user, a dev, a hacker...
![Page 5: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/5.jpg)
...but in general, valid files aren’t very sexy!
![Page 6: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/6.jpg)
However, the frontier between valid and corrupted is not straight and clear !
![Page 7: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/7.jpg)
Here is a valid file…f76f5dafdcf0818c457e6ffb50ea61a67196dcd4 *ccc.jpg
(ok, maybe not a standard file)
![Page 8: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/8.jpg)
This is a JPEG picture...
![Page 9: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/9.jpg)
...that’s also a Java file.
![Page 10: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/10.jpg)
AES( )If you encrypt it with AES...
![Page 11: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/11.jpg)
… you get a PNG picture.
![Page 12: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/12.jpg)
If you decrypt it with Triple DES...
3DES( )
![Page 13: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/13.jpg)
...you get a PDF document.
![Page 14: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/14.jpg)
AESK ( )If you encrypt the original file with AES again, but with a different key...
2
![Page 15: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/15.jpg)
...you get a Flash Video…..that … oh well, nevermind, I could go on for hours...
![Page 16: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/16.jpg)
1
3DES
So, as you can see, I’m just a normal guy (who likes to play with binary).
AESK
AESK
JPG
JAR(ZIP + CLASS)
PDFFLV
PNG
2
![Page 17: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/17.jpg)
I also like to explain binary ⇒ pics.corkami.com / prints.corkami.com
![Page 18: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/18.jpg)
Let’s talk about...
![Page 19: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/19.jpg)
![Page 20: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/20.jpg)
IdentificationHow do you identify a cow?
![Page 21: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/21.jpg)
By its head?
![Page 22: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/22.jpg)
By its body?
![Page 23: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/23.jpg)
By sound?
![Page 24: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/24.jpg)
in practice...
![Page 25: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/25.jpg)
early filetype identifier
![Page 26: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/26.jpg)
“Magic” signatures, enforced at offset 0
Obvious
PE\0\0 \x7FELF BPG\xFB\x89PNG\x0D\x0A\x1A\x0Adex\n035\0 RAR\x1a\7\0 BZGIF89a BM RIFF
Egocentric
MZ (DOS header) Mark Zbikowski
PK\3\4 (ZIP) Philip KatzBPG\xFB Fabrice Bellard
Not obvious, but l33tsp34k ^_^CAFEBABE Java / universal (old) Mach-ODOCF11E0 OfficeFEEDFACE Mach-OFEEDFACF Mach-O (64b)
Specific logic
TIFF:
II Intel (little) endianness
MM Motorola (big) endianness
Flash:
FWS ShockWave Flash (Flat)
CWS (zlib) compressed
ZWS LZMA compressed
Not obviousGZip 1F 8BJPG FF D8
![Page 27: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/27.jpg)
File formats not enforcing signature at offset 0(ZIP is used in many formats: APK, ODT, DOCX, JAR…)
not enforcing signature at offset 0: ZIP, 7z, RAR, HTMLactually enforcing signature at offset 0: bzip2, GZip
![Page 28: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/28.jpg)
ZIP actually enforces “finishing” near the end of the file.
![Page 29: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/29.jpg)
Hardware-bound formats: code/data at offset 0‘header’ often (optionally) later in the memory space
● TAR: Tape Archive● Disk images: ISO, Master Boot Record● TGA (image)● (Console) roms
![Page 30: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/30.jpg)
a good magic signature:● enforced at offset 0● unique
no magic ⇒ no excuse
![Page 31: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/31.jpg)
Standard tool: checks magic,chooses path, never returns...
![Page 32: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/32.jpg)
Another commonyet important property
(useful for abuses)
![Page 33: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/33.jpg)
It’s a complete cow (you can see its whole body), with something next:appending something doesn’t invalidate the start.
![Page 34: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/34.jpg)
Remember:there’s nothing to parse
after the terminator.
![Page 35: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/35.jpg)
formats not enforced at offset 0+ tolerating appended data= polyglots by concatenation
ZIP
HTML
PE
![Page 36: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/36.jpg)
a JAR(JAR) || BINK polyglotJAR = ZIP(CLASS)
![Page 37: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/37.jpg)
“host/parasite” polyglots
![Page 38: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/38.jpg)
If a cow keeps a frog in its mouth, it can also speak 2 languages!(the outer leaves space for an inner)
![Page 39: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/39.jpg)
Ok, I know… here is a more realistic analogy...
![Page 40: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/40.jpg)
...if our cow swallows a microSD, it’s still a valid cow!Even if it contains foreign data, that is tolerated by the system.
![Page 41: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/41.jpg)
the PDF part is stored in a Java buffer
2 infection chains in one file:
![Page 42: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/42.jpg)
a JavaScript || GIF polyglot (useful for pwning - also in BMP flavor)
![Page 43: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/43.jpg)
Such parasites exist already in the wild(they just use unallocated space)
![Page 44: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/44.jpg)
PoC||GTFO 0x2: MBR || PDF || ZIP
![Page 45: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/45.jpg)
PoC||GTFO 0x3: JPG || AFSK || AES(PNG) || PDF || ZIP
by Travis Goodspeed
![Page 46: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/46.jpg)
PoC||GTFO 0x4: TrueCrypt || PDF || ZIP
![Page 47: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/47.jpg)
PoC||GTFO 0x5: Flash || ISO || PDF || ZIP
by Alex Inführ
![Page 48: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/48.jpg)
$ unzip -l pocorgtfo06.pdfArchive: pocorgtfo06.pdfwarning [pocorgtfo06.pdf]: 10672929 extra bytes at... (attempting to process anyway) Length Date Time Name--------- ---------- ----- ---- 4095 11/24/2014 23:44 64k.txt 818941 08/18/2014 23:28 acsac13_zaddach.pdf 4564 10/05/2014 00:06 burn.txt 342232 11/24/2014 23:44 davinci.tgz.dvs 3785 11/24/2014 23:44 davinci.txt 5111 09/28/2014 21:05 declare.txt 0 08/23/2014 19:21 ecb2/
PoC||GTFO 0x6: TAR || PDF || ZIP
$ tar -tvf pocorgtfo06.pdf-rw-r--r-- Manul/Laphroaig 0 2014-10-06 21:33 %PDF-1.5-rw-r--r-- Manul/Laphroaig 525849 2014-10-06 21:33 1.png-rw-r--r-- Manul/Laphroaig 273658 2014-10-06 21:33 2.bmp
![Page 49: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/49.jpg)
a Java || JavaScript polyglot (at source level)
unicode //
![Page 50: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/50.jpg)
a Java || JavaScript polyglot (at binary level)
![Page 51: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/51.jpg)
⇒ Java = JavaScriptYes, your management was right all along ;)
![Page 52: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/52.jpg)
Extreme files bypass filters
![Page 53: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/53.jpg)
Farmer got denied permit to build a horse shelter.So he builds a giant table & chairs which don’t need a permit.
![Page 54: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/54.jpg)
a mini PDF (Adobe-only, 36 bytes) ⇒ skipped by scanners yet valid !
![Page 55: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/55.jpg)
a 64K sections PE (all executed) ⇒ crashes many softwares, evades scanning
![Page 56: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/56.jpg)
Parsing
![Page 57: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/57.jpg)
This is a how a user sees a cow.
![Page 58: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/58.jpg)
This is how a dev sees a cow…
![Page 59: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/59.jpg)
This is how another dev sees a cow !(this one: brazilian beef cut - previous: french beef cut)
![Page 60: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/60.jpg)
Same data, different parsersit would have been too easy ;)
![Page 61: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/61.jpg)
a schizophrenic PDF: 3 different trailers, seen by 3 different readers
commented line
missing trailer keyword
![Page 62: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/62.jpg)
a schizophrenic PDF (screen ⇔ printer)
![Page 63: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/63.jpg)
a (generated) PDF || PE || JAR [JAVA+ZIP] || HTML polyglot...
PDF viewer
PDF slides
![Page 64: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/64.jpg)
...which is also a schizophrenic PDF
![Page 65: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/65.jpg)
$ du -h stringme141 stringme
$ strings stringmeSegmentation fault (core dumped)
Extra problem: parsers can be present in unexpected placeshttp://lcamtuf.blogspot.de/2014/10/psa-dont-run-strings-on-untrusted-files.html (CVE-2014-8485)
![Page 66: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/66.jpg)
metadataWho’s the owner?
![Page 67: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/67.jpg)
A hidden cow just looks like another cow...
![Page 68: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/68.jpg)
… so cattle is branded.
![Page 69: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/69.jpg)
But brandings can be faked!or “patched” into another symbol
⇒ attribution is hard
![Page 70: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/70.jpg)
… and in a pure PoC||GTFO fashion,@munin forged a branding iron !
![Page 71: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/71.jpg)
an encrypted file is not always “encrypted”⇒ encrypt(file) is not always “random”
encrypt(file) can be valid
![Page 72: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/72.jpg)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B
.C.D.E.F.].E.N.D
.T.E.X.T0A.t.h.i.s. .i.s. .a. .t
.e.x.t0A
?
We want to encrypt a DATA file to a TEXT file.DATA tolerates appended data after it’s END marker
TEXT accepts /* */ comments chunk (think ‘parasite in a host’)
![Page 73: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/73.jpg)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B
.C.D.E.F.].E.N.D
<random>
if we encrypt, we get random result. we can’t control AES output & input together.
![Page 74: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/74.jpg)
AES works with blocksFile encryption applies AES via a mode of operation
![Page 75: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/75.jpg)
Electronic Code Book:
penguin = bad
![Page 76: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/76.jpg)
choose the IV to controlboth first blocks (P1 & C1)
![Page 77: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/77.jpg)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B
.C.D.E.F.].E.N.D
.T.E.X.T <something we control><random rest>
Encrypt with pure AES, then determine IV to control the output block
+IV1
![Page 78: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/78.jpg)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B
.C.D.E.F.].E.N.D
.T.E.X.T./.*<ignored random rest>
We can’t control the rest of the garbage… so let’s put a comment start in the first block
+IV2
![Page 79: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/79.jpg)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B
.C.D.E.F.].E.N.D
.T.E.X.T./.*<ignored random rest>.*./0A.t.h.i.s. .i.s. .a. .t.e.x.t0A
If we close the comment and append the target file’s data in the encrypted file.then this file is valid and equivalent to our initial target.
![Page 80: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/80.jpg)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B
.C.D.E.F.].E.N.D<pre-decrypted ignored random>
.T.E.X.T./.*<ignored random rest>.*./0A.t.h.i.s. .i.s. .a. .t.e.x.t0A
...then we decrypt that file: we get the original source file, with some random data, that will be ignored since it’s appended data.
+IV2
![Page 81: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/81.jpg)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.B
.C.D.E.F.].E.N.D<pre-decrypted ignored random>
.T.E.X.T./.*<ignored random rest>.*./0A.t.h.i.s. .i.s. .a. .t.e.x.t0A
Since AES CBC only depends on previous blocks,this DATA file will indeed encrypt to a TEXT file.
+IV2
![Page 82: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/82.jpg)
AngeCryption PoC layout
![Page 83: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/83.jpg)
00: 4441 5441 5b31 3233 3435 3637 3839 4142 DATA[123456789AB10: 4344 4546 5d45 4e44 0000 0000 0000 0000 CDEF]END........20: f6fe 17cf 0802 7449 58de cdf2 f9c4 45ce ......tIX.....E.30: 2e8e 6996 5854 824c c09c 1b7d 4898 a29e ..i.XT.L...}H...
openssl enc -aes-128-cbc -nopad -K `echo OurEncryptionKey|xxd -p` -iv A37A69F13417F5AB3CC4A1546B97FD76
00: 5445 5854 2f2a 0000 0000 0000 0000 0000 TEXT/*..........10: 3f81 11a9 2540 ded5 096a 83c9 f191 d8bb ?...%@...j......20: 2a2f 0a74 6869 7320 6973 2061 2074 6578 */.this is a tex30: 740a 454e 4400 0000 0000 0000 0000 0000 t.END...........
You can even try it at home :)
![Page 84: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/84.jpg)
Chimera(if you skip identified bodies, you’ll miss other files)
![Page 85: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/85.jpg)
a JPEG || ZIP || PDF Chimera
![Page 86: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/86.jpg)
a chimera defeats sequential parsing with optimization
image data
![Page 87: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/87.jpg)
a Picture of Cat(BMP ! uncompressed ! OMG)
![Page 88: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/88.jpg)
BMP let us define bit masks for each color:32 bits: 0000000000000000rrrrrggggggbbbbb (no alpha)
⇒ 16 bits of free space!
![Page 89: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/89.jpg)
let’s play the picture!no, seriously :)
![Page 90: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/90.jpg)
1. store sound in the lower 16 bits:sound ignored by BMP image data too low to be audible
2. store a picture encoded as sound○ viewable as spectrogram
http://wiki.yobi.be/wiki/BMP_PCM_polyglot
Consider the BMPas RAW 32b PCM
![Page 91: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/91.jpg)
an RGB BMP || raw (3-channel spectrogram) polyglot by @doegox
![Page 92: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/92.jpg)
Cerberosame type of heads, one body
![Page 93: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/93.jpg)
an RGB picture... RGB picture data = bytes triplets for R, G, B colors
![Page 94: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/94.jpg)
...with an unused palettepalette picture data = each byte is an index in the palette
in theory, it could be used:
![Page 95: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/95.jpg)
How to make a pic-ceptionadjust each RGB value to the closest palette index⇒ store a second picture with the same data….
(original idea by @reversity)
![Page 96: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/96.jpg)
We get another picture of the same type from the
same data!
BTW, that’s a barcode inception:a DataMatrix barcode inside a QRCode, both valid
https://www.iseclab.org/people/atrox/qrinception.pdf
![Page 97: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/97.jpg)
Hash collisions
This is the actual SHA-1 with only 4 of its 5 constants modifiedThis doesn’t give a collision in the actual SHA-1
![Page 98: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/98.jpg)
2 colliding blocks: mostly random and unpredictable At most three consecutive bytes without a difference.
Typically, in every dword, only the middle two bytes have no differences.
![Page 99: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/99.jpg)
Abusing JPEG’s multiple unused APPx (FF Ex) markers
![Page 100: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/100.jpg)
Much better! (images chosen at random)
![Page 101: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/101.jpg)
a polyglot collision (multiple use for a single backdoor)
![Page 102: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/102.jpg)
Pwnie award… for the best song! err… what is it pwning exactly ?
![Page 103: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/103.jpg)
Even songs should also have a nice PoC(never forget to load your PDFs in your favorite NES emulator)
![Page 104: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/104.jpg)
Do you remember this ?
![Page 105: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/105.jpg)
A Super NES & Megadrive rom(and PDF at the same time)
![Page 106: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/106.jpg)
Conclusion
![Page 107: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/107.jpg)
Ange’s recipes :)
Never forget to:● open your PDFs in a hex editor● open your pictures in a sound player● run your documents in a console emulator● encrypt/decrypt with any cipher● double-check what you printed
![Page 108: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/108.jpg)
Security advice:
DON’T *It’s easy to blame others - new insecure paths appear everyday
![Page 109: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/109.jpg)
Research advice:
DO *PoC||GTFO ! stop the marketing! cheap blamers ⇔ blatant marketers?
![Page 110: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/110.jpg)
F.F.F. conclusion
● many abuses of the specs○ specs often are wrong or misleading
● few parsers, even fewer dissectors● standard tools evolve the wrong way
○ try to repair ‘corrupted’ file outside the specs○ standard and recovery mode
For technical details, check my previous talks.
![Page 111: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/111.jpg)
ACK
@doegox @pdfkungfoo @veorq @reversity @travisgoodspeed @sergeybratus qkumba @internot @gynvael @munin@solardiz @0xabadidea @ashutoshmehralytron @JacobTorrey @thicenl…and anybody who gave me feedback!
![Page 112: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/112.jpg)
Bonus
after the talk, we tried some PoCs on professional (very expensive!) forensic softwares:● polyglot files
○ a single file format found + no warning whatsoever● schizophrenic files:
○ no warning yet different tabs of the same software showing different content :D
BIG FAIL - yet we trust them for court cases ?
![Page 113: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/113.jpg)
![Page 114: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/114.jpg)
***this is a valid..**
Albertini
...TAR & Adobe PDF:PoC or ____ _____ _____ ___ _ / ___|_ _| ___/ _ \ | || | _ | | | |_ | | | ||_|| |_| | | | | _|| |_| | _ \____| |_| |_| \___/ |_|
%PDF-1.trailer<</Root<</Pages<<>>>>>>
The initial abstract of this talk:ASCII-only, PDF/TAR polyglot
![Page 115: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/115.jpg)
Solar Designer made a great keynote - that’s actually a real game to play!But one have to load and play through the game - not so accessible!
http://openwall.com/presentations/ZeroNights2014-Is-Infosec-A-Game/
![Page 116: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/116.jpg)
$ unzip -t ZeroNights2014-Is-Infosec-A-Game.pdfArchive: ZeroNights2014-Is-Infosec-A-Game.pdfwarning [ZeroNights2014-Is-Infosec-A-Game.pdf]: 6381506 extra bytes (attempting to process anyway) testing: ZN14GAME/ OK testing: ZN14GAME/COMMON/ OK...
a PDF:● containing the game as ZIP● hand-written
○ with walkthrough’s screenshots(in original resolution)
○ a lightweight title○ while maintaining compatibility
a good way to distribute as a single file!
![Page 117: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/117.jpg)
Quineprints its own source
![Page 118: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/118.jpg)
a PE quine (in assembler, no linker)
![Page 119: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/119.jpg)
Most quines aren’t very sexyUsing a compiler is cheap :p
![Page 120: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/120.jpg)
Quine RelayA prints B’s sourceB prints A’s source
![Page 121: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/121.jpg)
a PE ⇔ ELF quine relay(no linker)
![Page 122: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/122.jpg)
a 50-languages quine relayhttps://github.com/mame/quine-relay
![Page 123: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/123.jpg)
other AngeCryption PoCs (PDF, PNG, JPG)
![Page 124: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/124.jpg)
A bit of everything
![Page 125: Funky file formats - 31c3](https://reader034.vdocuments.site/reader034/viewer/2022042502/55a20a971a28ab9b368b46bd/html5/thumbnails/125.jpg)
@angealbertinicorkami.com
Damn, that's the second time those alien bastards shot up my ride!