funky file formats
Post on 05-Jul-2018
266 Views
Preview:
TRANSCRIPT
-
8/16/2019 Funky File Formats
1/125
Funky file Formats
Ange Albertini
2014/12 - 31C3
FunkyFile
-
8/16/2019 Funky File Formats
2/125
Ange Albertini
reverse engineering &visual documentations
@angealbertiniange@corkami.com
http://www corkami com
http://www.corkami.com/http://www.corkami.com/mailto:ange@corkami.comhttps://twitter.com/angealbertini
-
8/16/2019 Funky File Formats
3/125
So, this talk is about files… what are the usual files’ cate o
-
8/16/2019 Funky File Formats
4/125
It de ends if ou’re a newbie, a user, a dev, a hacker..
-
8/16/2019 Funky File Formats
5/125...but in eneral, valid files aren’t ver sex !
-
8/16/2019 Funky File Formats
6/125However, the frontier between valid and corru ted is not strai ht
-
8/16/2019 Funky File Formats
7/125
Here is a valid file…f76f5dafdcf0818c457e6ffb50ea61a67196dcd4 *ccc.jpg
(ok, maybe not a standard file)
-
8/16/2019 Funky File Formats
8/125
-
8/16/2019 Funky File Formats
9/125...that’s also a Java file.
-
8/16/2019 Funky File Formats
10/125
AES( If ou encr t it with AES...
-
8/16/2019 Funky File Formats
11/125… ou et a PNG icture.
-
8/16/2019 Funky File Formats
12/125If ou decr t it with Tri le DES ...
3DES(
-
8/16/2019 Funky File Formats
13/125... ou et a PDF document.
-
8/16/2019 Funky File Formats
14/125
AESK (
If ou encr t the ori inal file with AES a ain, but with a differe
2
-
8/16/2019 Funky File Formats
15/125
...you get a Flash Video…..that … oh well, nevermind, I could o on for hours...
-
8/16/2019 Funky File Formats
16/125
1
3DES
So, as you can see, I’m just a normal guy (who likes to play with
AESK
AESK
JPG
JAR(ZIP + CLASS)
PDF
2
-
8/16/2019 Funky File Formats
17/125
I also like to explain binary⇒ pics.corkami.com / prints.corka
http://prints.corkami.com/http://pics.corkami.com/
-
8/16/2019 Funky File Formats
18/125
Let’s talk about...
-
8/16/2019 Funky File Formats
19/125
-
8/16/2019 Funky File Formats
20/125
Identification
How do you identify a cow?
-
8/16/2019 Funky File Formats
21/125
By its head?
-
8/16/2019 Funky File Formats
22/125
By its body?
-
8/16/2019 Funky File Formats
23/125
By sound?
-
8/16/2019 Funky File Formats
24/125
in practice...
-
8/16/2019 Funky File Formats
25/125
early filetype
identifier
-
8/16/2019 Funky File Formats
26/125
“Magic” signatures, enforced at offset 0
Obvious
PE\0\0 \x7FELF BPG\xFB\x89PNG\x0D\x0A\x1A\x0Adex\n035\0 RAR\x1a\7\0 BZ
GIF89a BM RIFF
Egocentric
MZ (DOS header) Mark Zb
PK\3\4 (ZIP) PhilipBPG\xFB Fabrice
Not obvious, but l33tsp34k ^_^
CAFEBABE Java / universal (old) Mach-ODOCF11E0 OfficeFEEDFACE Mach-OFEEDFACF Mach-O (64b)
Specific logic
TIFF:
II Intel (little) endi
MM Motorola (big) endi
Flash: FWS ShockWave Flash (F
CWS (zlib) compressed
ZWS LZMA compressed
Not obvious
GZip 1F 8BJPG FF D8
-
8/16/2019 Funky File Formats
27/125
File formats not enforcing signature at offset 0
(ZIP is used in many formats: APK, ODT, DOCX, JAR…
not enforcing signature at offset 0: ZIP, 7z, actually enforcing signature at offset 0: bzip
-
8/16/2019 Funky File Formats
28/125
ZIP actually enforces “finishing” near the end of the file
-
8/16/2019 Funky File Formats
29/125
Hardware-bound formats: code/data at offset 0
‘header’ often (optionally) later in the memory space
● TAR: Tape Ar chive
● Disk images: ISO, Master Boot Record
● TGA (image)● (Console) roms
-
8/16/2019 Funky File Formats
30/125
a good magic signatu
● enforced at offset 0● unique
no magic no excu
-
8/16/2019 Funky File Formats
31/125
Standard tool: checks m
chooses path, never retu
-
8/16/2019 Funky File Formats
32/125
Another commonyet important propert
(useful for abuses)
-
8/16/2019 Funky File Formats
33/125
It’s a complete cow (you can see its whole body), with somethi
appending something doesn’t invalidate the start.
-
8/16/2019 Funky File Formats
34/125
Re
there’s n
after th
-
8/16/2019 Funky File Formats
35/125
formats not enforced at offset 0
+ tolerating appended data
= polyglots by concatenation
Z
HT
PD
PE
-
8/16/2019 Funky File Formats
36/125
a JAR(JAR) || BINK polyglot
JAR = ZIP(CLASS)
-
8/16/2019 Funky File Formats
37/125
“host/parasite” polygl
-
8/16/2019 Funky File Formats
38/125
If a cow keeps a frog in its mouth, it can also speak 2 langua
(the outer leaves space for an inner)
-
8/16/2019 Funky File Formats
39/125
Ok, I know… here is a more realistic analogy...
-
8/16/2019 Funky File Formats
40/125
...if our cow swallows a microSD, it’s still a valid cow!
Even if it contains foreign data, that is tolerated by the syst
2 infection chains in one file:
-
8/16/2019 Funky File Formats
41/125
the PDF part is stored in a Java buffer
-
8/16/2019 Funky File Formats
42/125
a JavaScript || GIF polyglot (useful for pwning - also in BMP
Such parasites exist al
-
8/16/2019 Funky File Formats
43/125
p
(they just use unallo
-
8/16/2019 Funky File Formats
44/125
PoC||GTFO 0x2: MBR || PDF || ZIP
-
8/16/2019 Funky File Formats
45/125
PoC||GTFO 0x3: JPG || AFSK || AES(PNG) || PDF || ZIP
by Travis Goodspeed
-
8/16/2019 Funky File Formats
46/125
PoC||GTFO 0x4: TrueCrypt || PDF || ZIP
-
8/16/2019 Funky File Formats
47/125
PoC||GTFO 0x5: Flash || ISO || PDF || ZIP
by Alex Inführ
PoC||GTFO 0x6: TAR || PDF || ZIP
-
8/16/2019 Funky File Formats
48/125
$ unzip -l pocorgtfo06.pdfArchive: pocorgtfo06.pdfwarning [pocorgtfo06.pdf]: 10672929 extra bytes at... (attempting to process anyway)
Length Date Time Name--------- ---------- ----- ---- 4095 11/24/2014 23:44 64k.txt 818941 08/18/2014 23:28 acsac13_zaddach.pdf 4564 10/05/2014 00:06 burn.txt 342232 11/24/2014 23:44 davinci.tgz.dvs 3785 11/24/2014 23:44 davinci.txt 5111 09/28/2014 21:05 declare.txt
0 08/23/2014 19:21 ecb2/
$ tar -tvf pocorgtfo06.pdf-rw-r--r-- Manul/Laphroaig 0 2014-10-06 21:33 %PDF-1.5-rw-r--r-- Manul/Laphroaig 525849 2014-10-06 21:33 1.png
-rw-r--r-- Manul/Laphroaig 273658 2014-10-06 21:33 2.bmp
unicode //
-
8/16/2019 Funky File Formats
49/125
a Java || JavaScript polyglot (at source level)
-
8/16/2019 Funky File Formats
50/125
a Java || JavaScript polyglot (at binary level)
-
8/16/2019 Funky File Formats
51/125
Java = JavaScrip
Yes, your management was right all al
-
8/16/2019 Funky File Formats
52/125
Extreme files bypass fil
-
8/16/2019 Funky File Formats
53/125
Farmer got denied permit to build a horse shelter.
So he builds a giant table & chairs which don’t need a per
-
8/16/2019 Funky File Formats
54/125
a mini PDF (Adobe-only 36 bytes)⇒ skipped by scanners ye
-
8/16/2019 Funky File Formats
55/125
a 64K sections PE (all executed)⇒ crashes many softwares evad
-
8/16/2019 Funky File Formats
56/125
Parsing
-
8/16/2019 Funky File Formats
57/125
This is a how a user sees a cow
-
8/16/2019 Funky File Formats
58/125
This is how a dev sees a cow
-
8/16/2019 Funky File Formats
59/125
This is how another dev sees a cow !
(this one: brazilian beef cut - previous: french beef cut)
-
8/16/2019 Funky File Formats
60/125
Same data, different par
it would have been too easy ;)
commented line
-
8/16/2019 Funky File Formats
61/125
a schizophrenic PDF: 3 different trailers seen by 3 different r
missing trailer keyword
-
8/16/2019 Funky File Formats
62/125
a schizophrenic PDF (screen⇔
printer)
PDF vie
-
8/16/2019 Funky File Formats
63/125
a (generated) PDF || PE || JAR [JAVA+ZIP] || HTML polygl
PDF sli
-
8/16/2019 Funky File Formats
64/125
which is also a schizophrenic PDF
-
8/16/2019 Funky File Formats
65/125
$ du -h stringme141 stringme
$ strings stringme
Segmentation fault (core dump
Extra problem: parsers can be present in unexpected plachttp://lcamtuf blogspot de/2014/10/psa-dont-run-strings-on-untrusted-files html (CVE-2014-8485)
http://lcamtuf.blogspot.de/2014/10/psa-dont-run-strings-on-untrusted-files.html
-
8/16/2019 Funky File Formats
66/125
metadata
Who’s the owner?
-
8/16/2019 Funky File Formats
67/125
A hidden cow just looks like another cow
-
8/16/2019 Funky File Formats
68/125
so cattle is branded
-
8/16/2019 Funky File Formats
69/125
But brandings can be fa
or “patched” into another symbol
⇒ attribution is hard
-
8/16/2019 Funky File Formats
70/125
… and in a pure PoC||GTFO fashion,
@munin forged a branding iron !
-
8/16/2019 Funky File Formats
71/125
an encrypted file is not always “encry
encrypt(file) is not always “rand
encrypt(file) can be valid
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.BC D E F ] E N D
-
8/16/2019 Funky File Formats
72/125
.C.D.E.F.].E.N.D
.T.E.X.T0A.t.h.i.s.
.e.x.t0A
?
We want to encrypt a DATA file to a TEXT file.
DATA tolerates appended data after it’s END marker
TEXT accepts /* */ comments chunk (think ‘parasite in a ho
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.BC D E F ] E N D
-
8/16/2019 Funky File Formats
73/125
.C.D.E.F.].E.N.D
if we encrypt, we get random result. we can’t control AES output & in
-
8/16/2019 Funky File Formats
74/125
AES works with block
File encryption applies AES via a mode of
-
8/16/2019 Funky File Formats
75/125
E lectronic C ode Book:
penguin = bad
-
8/16/2019 Funky File Formats
76/125
choose the IV to control
both first blocks (P1 & C1)
.D.A.T.A.[.1.2.3.4.5.6.7.8.9.A.BC D E F ] E N D
-
8/16/2019 Funky File Formats
77/125
.C.D.E.F.].E.N.D
.T.E.X.T
-
8/16/2019 Funky File Formats
78/125
.C.D.E.F.].E.N.D
.T.E.X.T./.*
-
8/16/2019 Funky File Formats
79/125
.C.D.E.F.].E.N.D
.T.E.X.T./.*
-
8/16/2019 Funky File Formats
80/125
.C.D.E.F.].E.N.D
.T.E.X.T./.*
-
8/16/2019 Funky File Formats
81/125
.C.D.E.F.].E.N.D
.T.E.X.T./.*
-
8/16/2019 Funky File Formats
82/125
AngeCryption PoC layout
00: 4441 5441 5b31 3233 3435 3637 3839 4142 DATA[123456789AB
-
8/16/2019 Funky File Formats
83/125
[10: 4344 4546 5d45 4e44 0000 0000 0000 0000 CDEF]END........20: f6fe 17cf 0802 7449 58de cdf2 f9c4 45ce ......tIX.....E.30: 2e8e 6996 5854 824c c09c 1b7d 4898 a29e ..i.XT.L...}H...
openssl enc -aes-128-cbc -nopad -K `echo OurEncryptionKey|xxd -p` -iv A37A69F13417F5AB3CC4A1546B97FD76
00: 5445 5854 2f2a 0000 0000 0000 0000 0000 TEXT/*..........
10: 3f81 11a9 2540 ded5 096a 83c9 f191 d8bb ?...%@...j......20: 2a2f 0a74 6869 7320 6973 2061 2074 6578 */.this is a tex30: 740a 454e 4400 0000 0000 0000 0000 0000 t.END...........
You can even try it at home :)
-
8/16/2019 Funky File Formats
84/125
Chimera(if you skip identified bodies, you’ll miss other files)
-
8/16/2019 Funky File Formats
85/125
a JPEG || ZIP || PDF Chimera
-
8/16/2019 Funky File Formats
86/125
a chimera defeats sequential parsing with optimization
imag
-
8/16/2019 Funky File Formats
87/125
a P icture of C at(BMP ! uncompressed ! OMG)
-
8/16/2019 Funky File Formats
88/125
BMP let us define bit masks for each c32 bits: 0000000000000000rrrrrggggggbbbbb (n
⇒ 16 bits of free space!
-
8/16/2019 Funky File Formats
89/125
let’s play the picture!
no, seriously :)
C id th BMP
-
8/16/2019 Funky File Formats
90/125
1. store sound in the lower 16 bits:
sound ignored by BMPimage data too low to be audible
2. store a picture encoded as sound
○ viewable as spectrogramhttp://wiki.yobi.be/wiki/BMP_PCM_polyglot
Consider the BMP
as RAW 32b PCM
http://wiki.yobi.be/wiki/BMP_PCM_polyglot
-
8/16/2019 Funky File Formats
91/125
an RGB BMP || raw (3-channel spectrogram) polyglot by @d
-
8/16/2019 Funky File Formats
92/125
Cerberosame type of heads, one body
-
8/16/2019 Funky File Formats
93/125
an RGB picture...RGB picture data = bytes triplets for R, G, B colors
-
8/16/2019 Funky File Formats
94/125
...with an unused palettepalette picture data = each byte is an index in the palette
in theory, it could be used:
-
8/16/2019 Funky File Formats
95/125
How to make a pic-ceptionadjust each RGB value to the closest palet
⇒ store a second picture with the same d
(original idea by @reversity)
-
8/16/2019 Funky File Formats
96/125
We get another picture of
the same type from the
same data!
BTW, that’s a barcode inception:a DataMatrix barcode inside a QRCode, both valid
https://www.iseclab.org/people/atrox/qrinception.pdf
https://www.iseclab.org/people/atrox/qrinception.pdf
-
8/16/2019 Funky File Formats
97/125
Hash collisions
This is the actual SHA-1 with only 4 of its 5 constants modified
This doesn’t give a collision in the actual SHA-1
-
8/16/2019 Funky File Formats
98/125
2 colliding blocks: mostly random and unpredic
At most three consecutive bytes without a difference.
Typically, in every dword, only the middle two bytes have no diff
-
8/16/2019 Funky File Formats
99/125
Abusing JPEG’s multiple unused APPx (FF Ex) marker
-
8/16/2019 Funky File Formats
100/125
Much better! (images chosen at random)
-
8/16/2019 Funky File Formats
101/125
a polyglot collision (multiple use for a single backdoor)
-
8/16/2019 Funky File Formats
102/125
Pwnie award… for the best song! err… what is it pwning exa
-
8/16/2019 Funky File Formats
103/125
Even songs should also have a nice PoC(never forget to load your PDFs in your favorite NES emulator)
-
8/16/2019 Funky File Formats
104/125
Do you rem
-
8/16/2019 Funky File Formats
105/125
A Super NES & Megadrive rom
(and PDF at the same time)
-
8/16/2019 Funky File Formats
106/125
Conclusion
Ange’s recipes :)
-
8/16/2019 Funky File Formats
107/125
Never forget to:
● open your PDFs in a hex editor ● open your pictures in a sound player
● run your documents in a console emu
● encrypt/decrypt with any cipher ● double-check what you printed
-
8/16/2019 Funky File Formats
108/125
Security advice
DON’T *It’s easy to blame others - new insecure paths appear ever
-
8/16/2019 Funky File Formats
109/125
Research advice
DO *PoC||GTFO ! stop the marketing! cheap blamers ⇔ blatant ma
F.F.F. conclusion
-
8/16/2019 Funky File Formats
110/125
● many abuses of the specs
○ specs often are wrong or misleading● few parsers, even fewer dissectors
● standard tools evolve the wrong way○ try to repair ‘corrupted’ file outside the spec
○ standard and recovery mode
For technical details, check my previous talks.
ACK
-
8/16/2019 Funky File Formats
111/125
@doegox @pdfkungfoo @veorq @rever
@travisgoodspeed @sergeybratus qkum@internot @gynvael @munin
@solardiz @0xabadidea @ashutoshmeh
lytron @JacobTorrey @thicenl…and anybody who gave me feedback!
Bonus
-
8/16/2019 Funky File Formats
112/125
after the talk, we tried some PoCs on profe
(very expensive!) forensic softwares:● polyglot files
○ a single file format found + no warning whatsoe
● schizophrenic files:
○ no warning yet different tabs of the same softw
different content :D
BIG FAIL - yet we trust them for court
-
8/16/2019 Funky File Formats
113/125
***this is a vali**
-
8/16/2019 Funky File Formats
114/125
Albertini
...TAR & Adobe PoC or ____ _____ __ / ___|_ _| | | _ | | | || |_| | | | | \____| |_| |_|
%PDF-1.trailer
-
8/16/2019 Funky File Formats
115/125
Solar Designer made a great keynote - that’s actually a real gam
But one have to load and play through the game - not so acce
http://openwall.com/presentations/ZeroNights2014-Is-Infosec-A
a PDF:
● containing the game a
● hand-written
ith lkth h’
http://openwall.com/presentations/ZeroNights2014-Is-Infosec-A-Game/
-
8/16/2019 Funky File Formats
116/125
$ unzip -t ZeroNights2014-Is-Infosec-A-Game.pdfArchive: ZeroNights2014-Is-Infosec-A-Game.pdfwarning [ZeroNights2014-Is-Infosec-A-Game.pdf]: 6381506 extra (attempting to process anyway) testing: ZN14GAME/ OK testing: ZN14GAME/COMMON/ OK...
○ with walkthrough’
(in original resolu
○ a lightweight title○ while maintaining
a good way to distribute as
-
8/16/2019 Funky File Formats
117/125
Quine
prints its own source
-
8/16/2019 Funky File Formats
118/125
a PE quine (in assembler, no linker)
-
8/16/2019 Funky File Formats
119/125
Most quines aren’t very
Using a compiler is cheap :p
-
8/16/2019 Funky File Formats
120/125
Quine Relay
A prints B’s source
B prints A’s source
-
8/16/2019 Funky File Formats
121/125
a PE⇔ ELF quine relay
(no linker)
-
8/16/2019 Funky File Formats
122/125
a 50-languages quine relay
https://github.com/mame/quine-relay
https://github.com/mame/quine-relay
-
8/16/2019 Funky File Formats
123/125
other AngeCryption PoCs (PDF, PNG, JPG)
-
8/16/2019 Funky File Formats
124/125
A bit of everything
@angealbert
https://twitter.com/angealbertini
-
8/16/2019 Funky File Formats
125/125
@ g
corkami.com
Damn, that's the second time those alien bastards shot up my ride!
http://www.corkami.com/http://www.corkami.com/https://twitter.com/angealbertini
top related