Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
a binary chimera
3 headers & 1 data body in a single file
Ange Albertini, March 2014
chimera kʌɪˈmɪərə,kɪ-/
noun
1. (in Greek mythology) a fire-breathing female monster with a lion's head, a goat's body, and...
what is it ?
a file that is:
● a JPG
● a PDF
● a ZIP
that’s all?
is it just 3 stacked formats ?
if only >:-)
a binary chimera
the image data is present only once:
all 3 file formats rely on the same body.
1 data body, 3 different h...
why?
● why not!
● just a PoC for me
○ but maybe a fixed bug for you
it shows that
● too many file format specs suck!
○ whi...
starting ideas
● PDF can use unmodified JPG files
○ we just need to duplicate the JPG header
○ and trick the JPG header to...
magic signature
● JPEG FF D8 offset 0
● PDF %PDF-1.x within range 0-1024
● ZIP PKx03x04 anywhere
→ our file starts with FF...
hiding PDF/ZIP data from JPEG
● JPEG is chunk-based (called segments)
→ add comment segments to cover PDF/ZIP
syntax:
FF F...
hiding JPEG/ZIP data from PDF
● PDF is not parsed until signature is met
→ the JPEG header is ignored
● PDF is object-base...
PDF stream object
<unused number> 0 obj
<<>>
stream
<data>
endstream
endobj
Problem: in a ZIP,
data is following LocalFileHeader
start of PDF image object overlaps LocalFileHeader :(
Solution:
ZIP c...
elegance++
● cover extra data after JPEG end with
superfluous comment segment
● covert extra PDF data by extending ZIP
arc...
summary
icing on the cake
● all written by hand
● generated in ASM
● not specific to my JPEG/PDF/ZIP data
as usual ;)
partial failure
not fully “compatible”
● ZIP LFH name corrupted :(
○ 7z, ZipFile don’t support it
● Adobe Reader blacklist...
Conclusion
● yet another kind of file format puzzle
○ new?
● chimeras aren’t legend anymore :p
● source & PoC
○ http://cor...
ACK
Binary masters
● Julia Wolf, Jonas Magazinius, Gynvael Coldwind
PoC||GTFO neighbors
● Travis Goodspeed, Sergey Bratus
...
Questions/suggestions?
@angealbertini
Want more?
read PoC||GTFO !
A binary chimera - 3 headers & 1 data body in a single file
A binary chimera - 3 headers & 1 data body in a single file
Upcoming SlideShare
Loading in …5
×

A binary chimera - 3 headers & 1 data body in a single file

2,148 views

Published on

3 headers & 1 data body in a single file

Published in: Technology, Art & Photos
  • Be the first to comment

A binary chimera - 3 headers & 1 data body in a single file

  1. 1. a binary chimera 3 headers & 1 data body in a single file Ange Albertini, March 2014
  2. 2. chimera kʌɪˈmɪərə,kɪ-/ noun 1. (in Greek mythology) a fire-breathing female monster with a lion's head, a goat's body, and a serpent's tail.
  3. 3. what is it ? a file that is: ● a JPG ● a PDF ● a ZIP
  4. 4. that’s all? is it just 3 stacked formats ? if only >:-)
  5. 5. a binary chimera the image data is present only once: all 3 file formats rely on the same body. 1 data body, 3 different headers (PDF/ZIP/JPG) → chimera
  6. 6. why? ● why not! ● just a PoC for me ○ but maybe a fixed bug for you it shows that ● too many file format specs suck! ○ which decreases our security
  7. 7. starting ideas ● PDF can use unmodified JPG files ○ we just need to duplicate the JPG header ○ and trick the JPG header to find its data ‘further’ than expected ● ZIP can store data unmodified ○ we just need to trick ZIP structure to find its file data within the PDF
  8. 8. magic signature ● JPEG FF D8 offset 0 ● PDF %PDF-1.x within range 0-1024 ● ZIP PKx03x04 anywhere → our file starts with FF D8 at offset 0 we need to ‘hide’ the rest
  9. 9. hiding PDF/ZIP data from JPEG ● JPEG is chunk-based (called segments) → add comment segments to cover PDF/ZIP syntax: FF FE <length:+2> <data>
  10. 10. hiding JPEG/ZIP data from PDF ● PDF is not parsed until signature is met → the JPEG header is ignored ● PDF is object-based ● dummy stream objects to cover ZIP/JPG
  11. 11. PDF stream object <unused number> 0 obj <<>> stream <data> endstream endobj
  12. 12. Problem: in a ZIP, data is following LocalFileHeader start of PDF image object overlaps LocalFileHeader :( Solution: ZIP contains 2 filenames entries: ● in CentralDirectory (important one) ● in each LocalFileHeader (discardable) → abused LFH’s filename to overlap PDF object start (not 100% compatible)
  13. 13. elegance++ ● cover extra data after JPEG end with superfluous comment segment ● covert extra PDF data by extending ZIP archive comment (in EoCD)
  14. 14. summary
  15. 15. icing on the cake ● all written by hand ● generated in ASM ● not specific to my JPEG/PDF/ZIP data as usual ;)
  16. 16. partial failure not fully “compatible” ● ZIP LFH name corrupted :( ○ 7z, ZipFile don’t support it ● Adobe Reader blacklists JPEGs-starting PDFs → need to slightly corrupt JPEG header → some JPEG viewers don’t support it :( JPEG corrupted to let PDF open under Adobe easy to fix, would break Adobe
  17. 17. Conclusion ● yet another kind of file format puzzle ○ new? ● chimeras aren’t legend anymore :p ● source & PoC ○ http://corkami.googlecode.com/svn/trunk/src/chimera
  18. 18. ACK Binary masters ● Julia Wolf, Jonas Magazinius, Gynvael Coldwind PoC||GTFO neighbors ● Travis Goodspeed, Sergey Bratus Feedbackers ● @munin @LeBurek @rfc1459 @InfoSec208 Promising jedi ;) ● Dominique Bongard
  19. 19. Questions/suggestions? @angealbertini
  20. 20. Want more? read PoC||GTFO !

×