Gynvael Coldwind Security researcher, Google Dragon Sector captain likes hamburgers http://gynvael.coldwind.pl/ All opinions expressed during this presentation are mine and mine alone. They are not opinions of my lawyer, barber and especially not my employer.
Let's start with simple stuff - the ZIP format A ZIP file begins with letters PK.
Let's start with simple stuff - the ZIP format A ZIP file begins with letters PK. WRONG
ZIP - second attempt :) last 65557 bytes of the file the "header" is .zip file "somewhere" here PK\5\6...
you begin ZIP parsing from this; it MUST be ZIP - "somewhere" ?! at the end of the file 4.3.16 End of central directory record: end of central dir signature 4 bytes (0x06054b50) number of this disk 2 bytes number of the disk with the start of the central directory 2 bytes total number of entries in the central directory on this disk 2 bytes total number of entries in the central directory 2 bytes 22 bajty size of the central directory 4 bytes offset of start of central directory with respect to the starting disk number 4 bytes $0000-$FFFF .ZIP file comment length 2 bytes 0-65535 .ZIP file comment (variable size) Total: from 22 to 65557 bytes (aka: PK\5\6 magic will be somewhere between EOF-65557 and EOF-22)
ZIP - looking for the "header"? "From the START" "From the END" (ZIPs usually don't have comments) Begin at EOF-65557, Begin at EOF-22, and move forward. and move backward. PK\5\6... PK\5\6... "somewhere" "somewhere"
The show will continue in a moment. Larch Something completely different
ZIP Format - LFH 4.3.7 Local file header: local file header signature 4 bytes (0x04034b50) version needed to extract 2 bytes general purpose bit flag 2 bytes compression method 2 bytes last mod file time 2 bytes last mod file date 2 bytes crc-32 4 bytes compressed size 4 bytes uncompressed size 4 bytes file name length 2 bytes random stuff extra field length 2 bytes file name (variable size) extra field (variable size) PK\3\4... LFH + data file data (variable size) Each file/directory in a ZIP has LFH + data.
ZIP Format - CDH [central directory header n] central file header signature 4 bytes (0x02014b50) version made by 2 bytes version needed to extract 2 bytes general purpose bit flag 2 bytes thanks to the compression method 2 bytes redundancy you last mod file time 2 bytes last mod file date 2 bytes can recover LFH crc-32 4 bytes compressed size 4 bytes using CDH, or uncompressed size 4 bytes file name length 2 bytes CDH using LFH extra field length 2 bytes file comment length 2 bytes disk number start 2 bytes internal file attributes 2 bytes external file attributes 4 bytes similar stuff to LFH relative offset of local header 4 bytes file name (variable size) PK\2\1... CDH extra field (variable size) file comment (variable size) Each file/directory has a CDH entry in the Central Directory
ZIP - a complete file PK\3\4... LFH + data PK\2\1... CDH PK\5\6...EOCD Files (header+data) List of files (and pointers)
ZIP - a complete file (continued) PK\3\4... LFH + data PK\2\1... CDH PK\5\6...EOCD PK\3\4... LFH + data PK\2\1... CDH PK\5\6...EOCD If the list of the files has pointers to files... ... the ZIP structure can be more relaxed.
ZIP - a complete file (continued) PK\2\1... CDH PK\3\4... LFH + data PK\5\6...EOCD file comment (variable size) You can even do an "inception" (some parsers may allow EOCD(CHD(LFH)))
And now back to our show! (we were looking for the EOCD) Larch Something completely different
ZIP - looking for the "header"? (who cares...) "stream" Let's ignore EOCD! (it's sometimes faster) (99.9% of ZIPs out there can be parsed this way) PK\3\4... LFH + data PK\3\4... LFH + data PK\3\4... LFH + data PK\5\6... (single "files" in an archive)
ZIP - looking for the "header"? (who cares...) "aggressive stream" We ignore the "garbage"! (forensics) PK\3\4... LFH + data PK\3\4... LFH + data PK\3\4... LFH + data PK\5\6... (single "files" in an archive)
Let's test the parsers! abstract.zip
abstract.zip stream LFH+data syntax breaker aggressive LFH+data stream LFH+data start-first CDH yellow is a EOCD comment end-first of the LFH+data green archive CDH EOCD
abstract.zip from zipfile import ZipFile ZipFile("abstract.zip", "r"). printdir()
sometimes, it’s in the specs obscurity via over-specification?
notice anything unusual?
PDF Layers 1/2 “Optional Content Configuration” ● principles ○ define layered content via various /Forms ○ enable/disable layers on viewing/printing ● no warning when printing ● “you can see the preview!” ○ bypass preview by keeping page 1 unchanged ○ just do a minor change in the file
PDF Layers 2/2 ● it’s Adobe only ○ what’s displayed varies with readers ○ could be hidden via previous schizophrenic trick ● it was in the specs all along ○ very rarely used ○ can be abused
BMP Trick 1 (originally published in Gynvael's "Format BMP okiem hakera" article in 2008)
bfOffBits offset 0 Specifies the offset, in FILE HEADER bytes, from the BITMAPFILEHEADER bfOffBits structure to the bitmap bits (MSDN) INFO HEADER offset N PIXEL DATA
bfOffBits offset 0 Specifies the offset, in FILE HEADER bytes, from the BITMAPFILEHEADER bfOffBits structure to the bitmap bits (MSDN) INFO HEADER ● Some image viewers ignore PIXEL DATA bfOffBits and look (secondary) for data immediately after offset N the headers. PIXEL DATA
PIXEL DATA (secondary) PIXEL DATA Different images, depending on which pixel data is used.
BMP Trick 2 Something I've learnt about because it spoiled my steg100 task for a CTF (thankfully during testing).
BMP compression & palette Run-Length Encoding (each box is 1 byte): Length Palette Index >0 (color) Length RAW Length Palette Index Palette Index ... 0 >2 (color) (color) Length End of Line 0 0 Length End of Bitmap 0 1 Length Move Cursor X offset Y offset 0 2
BMP compression & palette Question: If the opcodes below allow jump over pixels and set no data, how will the pixels look like? Hint: Please take a look at the presentation title :) Length End of Line 0 0 Length End of Bitmap 0 1 Length Move Cursor X offset Y offset 0 2
Option 1 The missing data will be filled with background color. (index 0 in the palette)
Option 2 The missing data will be black.
Option 3 The missing data will be transparent. (pink represents transparency)
a data schizophren image data combining ● 2 images ● via 2 palettes cute PoC by @reversity “There shall not be more than one PLTE chunk”
different images depending on which PLTE chunk is used
Relocations types XP Vista W8 Type 4 -- -- ✓ HIGH_ADJ Type 9 MIPS_JMPADDR16 32 bit 64 bit ✗ IA64_IMM64 MACHINE_SPEC_9
as seen in PoC||GTFO Relocations on relocations Type 4 -- -- ✓ HIGH_ADJ Type 9 MIPS_JMPADDR16 32 bit 64 bit ✗ IA64_IMM64 MACHINE_SPEC_9 Type 10 ✓ ✓ ✓ DIR64
questions? Ange Albertini Gynvael Coldwind thank you @angealbertini @gynvael It's time to kick ass and chew bubble gum... and I'm all outta gum.
Bonus Round (not a fully schizophrenic problem in popular parsers, that's why it's here) vs Flash (SWF) vs Prezi
Prezi SWF sanitizer Prezi allows embedding SWF files. But it first sanitizes them. It uses one of two built-in SWF parsers. There was a problem in one of them: ● It allowed huge chunk sizes. ● It just "jumped" (seeked) over these chunk... ● ...which resulted in an integer overflow... ● ...and this lead to schizophrenia. ● As the sanitizer saw a good SWF... ● ...Adobe Flash got its evil twin brother.
Prezi SWF sanitizer "good" SWF sent to sanitizer and its evil twin brother kudos to the sanitizer! Fixed in Q1 2014. For details see: "Integer overflow into XSS and other fun stuff - a case study of a bug bounty" http://gynvael.coldwind.pl/?id=533