Download - Caring for file formats
![Page 1: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/1.jpg)
Caring forfile formatsCaring for
file formatsAnge AlbertiniTroopers 2016Ange AlbertiniTroopers 2016
![Page 2: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/2.jpg)
TL;DR● Attack surface with file formats is too big.● Specs are useless (just a nice ‘guide’), not representing reality.● We can’t deprecate formats because we can’t preserve and we can’t define how
they really work
● We need open good libraries to simplify landscape, and create a corpus to express the reality of file format, which gives us real “documentation”.
● Then we can preserve and deprecate older format, which reduces attack surface.● From then on, we can focus on making the present more secure.
● We don’t need “new” formats: we need ‘alive’ specs and files corpus.Otherwise specs will always diverge from reality.
![Page 3: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/3.jpg)
Ange Albertinireverse engineering & visual documentation@[email protected]://www.corkami.com
Welcome to my talk!
![Page 4: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/4.jpg)
I make polyglots (multi-type files),schizophrenics (multi-behavior)...
![Page 5: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/5.jpg)
I tried to explain file formats with cows…But that didn’t really tell why people should care.
![Page 6: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/6.jpg)
1
3DES
I really like to play with file formats...
AESK
AESK
JPG
JAR(ZIP + CLASS)
PDFFLV
PNG
2
![Page 7: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/7.jpg)
I’m a part of PoC||GTFO,for which I’m a file format
user and abuser.
![Page 8: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/8.jpg)
PoC||GTFO: many file formats● Articles
PDFLaTeX PDFBook Inkscape GhostScript Scribus Blender Gimp Fontforge PDFFont Mutool
● Proof of ConceptQpdf Xpdf Ruby Python Bash Truecrypt Wavpack Audacity Baudline Sox Tar Zip MkIsoFS LSnes PngOpt JpegSnoop AdvPNG Nasm Qemu BPGEnc
And many custom scripts handling file formats in unconventional ways…
![Page 9: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/9.jpg)
I'm interested about hardware preservation
and digital preservation.
![Page 10: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/10.jpg)
My interests
● Using file formats○ graphics, 3d, music…
● Abusing file formats○ polyglot, schizophrenia, hash collisions…
● Preserving file formats○ Retro-gaming, digital archeology...
![Page 11: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/11.jpg)
A miserable little pile of secrets
Not just a sequence of binary
What is a file format?
![Page 12: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/12.jpg)
If you [/your program] generate a picture of any kind,
you might want to exportthe result to something
that you can re-use later.(same for any form of information)
![Page 13: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/13.jpg)
A computer dialectto communicate
between communities.
What is a file format?
![Page 14: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/14.jpg)
File formats arecommunity connectors.
Don’t think so?Try exporting everything as XML ;)
![Page 15: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/15.jpg)
Most people don’t care about <actor>
They only care about <roles>We mostly care about the input/output.
![Page 16: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/16.jpg)
Example:
We don’t care about GIFWe mostly care about its characteristics
and how easy it is to use.
No need to be emotional,and stay in our comfort zone.
![Page 17: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/17.jpg)
We don’t really careabout file formats.We care about their caracteristics.
Not groundbreaking,but supported “everywhere”.
![Page 18: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/18.jpg)
Why should infosec care?Fuzz formats. Blame “bad” devs.Collect CVEs. Boast your ego.
10 PRINT “SOLVED ANYTHING YET?”20 GOTO 10
![Page 19: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/19.jpg)
Attack surface
● 1 OS = N supported formats● For each format:
○ How many parsers?○ For each parser:
■ Which version, compiler...
![Page 20: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/20.jpg)
The PGM or PPM formats are the easiest way to convert any data in valid grayscale or RGB pictures.
But most people don’t know it’s supported out of the box by many softwares.
![Page 21: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/21.jpg)
We should reduce the attack surface.
How many unsuspected supported[sub-]formats and parsers?
https://lcamtuf.blogspot.com/2014/10/psa-dont-run-strings-on-untrusted-files.html
![Page 22: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/22.jpg)
How many file formats supportedby your browser ?
By your OS?
How many do you really need ?
Think “embedded”.
![Page 23: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/23.jpg)
Capacity is still too cheap:we keep stacking formats/features,
which doesn’t solve anything.
It’s a problem everywhere.We keep losing ground.
![Page 24: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/24.jpg)
<!--PoC||GTFO 10
![Page 25: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/25.jpg)
“Pokemon plays Twitch”1. Exploit a GameBoy game via input2. Take over the Super GameBoy3. Take over the Super Nintendo
![Page 26: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/26.jpg)
The file itself can perform the exploit (on the hardware or an emulator).
The payload displays the article.
![Page 27: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/27.jpg)
-->PoC||GTFO 10 is a PoC-ception:- a PDF article describing the exploit- a file performing the exploit
(to display the article)
![Page 28: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/28.jpg)
![Page 29: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/29.jpg)
“young celebs”What they were supposed to be
doesn’t really matter.
![Page 30: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/30.jpg)
What file formats were supposed to bedoesn't matter anymore,
what they are now is all we care.
Security cares about current reality,not obsolete theory.
![Page 31: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/31.jpg)
We can blame bad parsers.What about the file formats?If the map is unclear enough, you’ll get lost anyway.
A blurry file format will never lead to a clean parser.
![Page 32: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/32.jpg)
use a ready-made translator:an import/export library
Write your own:read the specs.
2 ways to communicate
![Page 33: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/33.jpg)
Landscapes
![Page 34: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/34.jpg)
To exploit hash collisions, I abused JPEG.To abuse JPEG “everywhere”, just abuse LibJPEG.
![Page 35: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/35.jpg)
JPEG format’s landscape
in practice, JPEG is LibJPEG turbo v6
● de facto standard○ later versions not used (different API)
Even if you create your own JPEG library,you want to have full LibJPEG compatibility.
JPEG format is defined by LibJPEG.
![Page 36: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/36.jpg)
I made extremely custom PDFs for each reader.
![Page 37: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/37.jpg)
These "extreme" PDFs fail on any other reader.
![Page 38: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/38.jpg)
PDF’s current landscape
PDF: 6 interpretations of the specs
● specs are even more useless
![Page 39: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/39.jpg)
One good open library:a unified attack surface
Fuzz it, pwn everyone ?True, but also fixed for everyone!
Is diversity really good?We’re all supposed to use the same file format.
![Page 40: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/40.jpg)
Diversity is good?Attack surface is worse.Unofficial substandards.
![Page 41: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/41.jpg)
In any cases...Specs are merely an introduction guide.A free set of examples w/ corner cases.
A grammar ?
![Page 42: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/42.jpg)
PDF’s future
PDF/E (engineer): 3d crapPDF/A (archiving): already 8 flavours
Specs:
● specs are now commercial● the main implementation is not open● no set of free files.
And all countries preserve their culture with that format?!?!
We’re waiting for a new disaster...
![Page 43: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/43.jpg)
many file formats areabandoned
One specs. then nothing.
It’s like knowing about someoneonly from a baby’s picture.
![Page 44: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/44.jpg)
<!--PoC||GTFO 11
![Page 45: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/45.jpg)
PoC||GTFO 11 is a webserver serving itself, with its own HTML pageextracting its own attachments from its ZIP.$ruby pocorgtfo11.pdf Listening for connections on port 8080.To listen on a different port,re-run with the desired port as a command-line argument.
A neighbor at 127.0.0.1 is requesting /A neighbor at 127.0.0.1 is requesting /ajax/feelies.jsonA neighbor at 127.0.0.1 is requesting /favicon.png
$unzip -l pocorgtfo11.pdf Archive: pocorgtfo11.pdf Length Date Time Name -------- ---- ---- ---- 0 03-16-16 13:37 4am/ 25955 03-11-16 15:06 4am/Stickybear Math 2 (4am crack).txt[...] 3241 03-16-16 13:37 wafflehouse.txt -------- ------- 8177332 23 files
![Page 46: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/46.jpg)
-->PoC||GTFO 11 is self-aware:
a PDF that serves itself (HTTP quine),parses its own ZIP to serve its archived feelies.
![Page 47: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/47.jpg)
Important question
![Page 48: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/48.jpg)
Do you still sleepwith a teddy bear?
![Page 49: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/49.jpg)
Kids really deprecate stuffOur computers still handle always more
and more file formats.⇒ The attack surface just keeps growing.
![Page 50: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/50.jpg)
Obsolete formats arestill omnipresent
Formats, sub-formats, features...
![Page 51: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/51.jpg)
Because it’s unclearif we can go back.
We’d be too afraid to deprecate them.
![Page 52: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/52.jpg)
Yet we deprecatefor security.
Example for PDF:JPEG-compressed text
is not supported anymore(it could bypass security).
![Page 53: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/53.jpg)
Windows PE format becomes stricter
(deprecates packers)
![Page 54: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/54.jpg)
For example,EPUB 3.1 suddenly killedbackward compatibility.
http://blog.kbresearch.nl/2016/03/10/the-future-of-epub-a-first-look-at-the-epub-3-1-editors-draft/
Sometimes,it’s not even forsecurity reasons
![Page 55: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/55.jpg)
We don’t neednew file formats.
It’s the same problem again ifeventually their specs stop reflecting reality.
![Page 56: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/56.jpg)
Even dictionaries haveregular updates,to reflect reality.
![Page 57: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/57.jpg)
Story timeDigipres = PDF worshippers. 150 years of availability?
● Non free specs + closed source software?
Here comes the grim reaper:
● Fix your stuff or it will be killed (like Flash)
We store our knowledge. What about files born digital?
Not infosec, but worrying.
![Page 58: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/58.jpg)
veraPDF and its test files:a great initiative.
![Page 59: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/59.jpg)
PE.corkami.com: my own collection of hand-made executables and "documentation" (completely free).
![Page 60: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/60.jpg)
Some of these failed a lot of software...
![Page 61: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/61.jpg)
Consequence of my PE page+corpus
● 'corkami-proof' software● raises the bar for everyone● become a hub of knowledge
○ "I can't share the sample", but from the knowledge,my own file will be shared⇒ even useful for the original contact
![Page 62: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/62.jpg)
Conclusion
![Page 63: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/63.jpg)
Attack surface
Too many (sub)formatsToo many parsers (= no good open lib)
![Page 64: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/64.jpg)
Specs
Specs shouldn’t be a religious text● Worshipped, but outdated and worthlessSpecs should reflect reality (a law)● updated, enforced, realistic, freely available
A good open lib
![Page 65: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/65.jpg)
Deprecation
Deprecation is a natural cycle, and yet...We are afraid to deprecate becauseno file format is fully preserved:● open, up to date specs● free test coverage
![Page 66: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/66.jpg)
But it won’t happen...
...until a great disaster ?
It ends up on CNN, with a logo & a website :)
![Page 67: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/67.jpg)
AckPhil Fabrice Travis Sergey Micah Kurt QKumba Hanno...
![Page 68: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/68.jpg)
Thank you!
![Page 69: Caring for file formats](https://reader030.vdocuments.mx/reader030/viewer/2022021506/587152f11a28ab8e5b8b496f/html5/thumbnails/69.jpg)
Caring forfile formats
corkami.com@angealbertini
Hail to the king, baby!