As file format specs leave room for interpretation and sometimes are misunderstood or ignored by the programmers, some well-formed files may be interpreted inconsistently by different tools and libraries. As a result, this can be (ab)used for simple jokes, anti-forensics or to bypass sanitizers which might lead to data exfiltration.
Ange Albertini: Reverse Engineer, author of Corkami
Gynvael Coldwind: His main areas of interest are low-level security (kernel, OS, client), web security and reverse-engineering. Captain of Dragon Sector CTF team :) Currently working as an Information Security Engineer at Google.
At the end of this lecture students should be able to;
Define the C standard functions for managing file input output.
Apply taught concepts for writing programs.
File Handling is used in C language for store a data permanently in computer.
Using file handling you can store your data in Hard disk.
http://www.tutorial4us.com/cprogramming/c-file-handling
At the end of this lecture students should be able to;
Define the C standard functions for managing file input output.
Apply taught concepts for writing programs.
File Handling is used in C language for store a data permanently in computer.
Using file handling you can store your data in Hard disk.
http://www.tutorial4us.com/cprogramming/c-file-handling
Presented at Troopers 2016.
When Infosec and Digipres share interests...
TL;DR
- Attack surface with file formats is too big.
- Specs are useless (just a nice ‘guide’), not representing reality.
- We can’t deprecate formats because we can’t preserve and we can’t define how they really work
- We need open good libraries to simplify landscape, and create a corpus to express the reality of file format, which gives us real “documentation”.
- Then we can preserve and deprecate older format, which reduces attack surface.
- From then on, we can focus on making the present more secure.
- We don't need new formats: reality will diverge from the specs anyway - we need 'alive' (up to date, traceable) specs.
Simple Data Engineering in Python 3.5+ — Pycon.DE 2017 Karlsruhe — Bonobo ETLRomain Dorgueil
Simple Data Engineering in Python 3.5+ using Bonobo ETL, with real world example using Django2 and DBPedia.
https://www.bonobo-project.org/
Presentation from Pycon.DE 2017 in Karlsruhe
Clustered and distributed storage with commodity hardware and open source ...Phil Cryer
An overview of the state of the Biodiversity Heritage Library's first storage cluster. It covers the basics of building a clustered and distributed storage with commodity hardware and open source software , and also details such as working software to maintain synchronization with other global partners. Presented to the Biodiversity Heritage Library Europe's Technical Architecture board at Natural History Museum, London on August 25, 2010.
Kernel Recipes 2016 - Kernel documentation: what we have and where it’s goingAnne Nicolas
The Linux kernel features an extensive array of, to put it kindly, somewhat disorganized documentation. A significant effort is underway to make things better, though. This talk will review the state of kernel documentation, cover the changes that are being made (including the adoption of a new system for formatted documentation), and discuss how interested developers can help.
Jonathan Corbet, LWN.net
OSDC 2016 - Ingesting Logs with Style by Pere Urbon-BayesNETWAYS
The log shipping scene been between us for a long time: from syslog, rsyslog to nowadays Fluentd, Flume and Logstash. Logstash been pushing hard to introduce new features that make the experience better for everyone. At the end of the day, a healthy shipper means a happy sysadmin. The latest Logstash includes persistence to reduce the chance of data loss, monitoring to find how everything is going and configuration management to make your life a lot easier. But wait, there’s more! Offline support, improved shutdown semantics, etc … features that will make your logs shipped and you a rested sysadmin.
In this talk we’ll see this features in action thought a real live sensor monitoring example. By the end of the session, you will be able to use the full power of Logstash in your own deployments.
Part 4 of 'Introduction to Linux for bioinformatics': Managing data Joachim Jacob
This is part 4 of the training session 'Introduction to Linux for bioinformatics'. We shows basics of data management, and tips for handling big data effectively. Interested in following this training session? Please contact me at http://www.jakonix.be/contact.html
Juriaan Bremer und Marion Marschalek: Curing A 15 Year Old DiseaseArea41
Visual Basic P-code executables have been a pain for a digital eternity and even up until today reverse engineers did not come up with a helpful painkiller. So 15 years after the era of VB6 we present a tool that fully subverts the VB6 virtual machine, thus intercepting and instrumenting the VB P-code in real time. Through dynamic analysis we show that our tool aims at intercepting relevant information at runtime, such as plaintext strings in memory, and which APIs were called. Even more, with our tool an analyst could instrument the execution of byte code on-the-fly, allowing modification of the virtual machine state during execution.
With this fancy gadget it is possible to ease an analyst's life significantly. Having described all ins and outs of our tool we will demonstrate various possible use cases, concluding our talk by the profit gain for researchers, what we got from it, and possible future use-cases.
Jurriaan is a freelance security researcher and software developer from the Netherlands interested in the fields of reverse engineering, malware analysis, mobile security, and the development of software to aid in security analysis. Jurriaan occasionally plays so-called Capture The Flag games as a member of Eindbazen CTF Team, he’s a member of The Honeynet Project, and he’s also one of the Core Developers of Cuckoo Sandbox.
Marion Marschalek is a malware researcher at is a malware researcher at Cyphort Inc. based in Santa Clara. Marion is working as malware analyst and in incident response, but has also done research in the area of automated malware analysis and vulnerability search. Besides that she teaches basics of malware analysis at University of Applied Sciences St. Pölten. Marion has spoken at international hacker conferences such as Defcon Las Vegas and POC Seoul. In March 2013 she won the Female Reverse Engineering Challenge 2013, organized by RE professional Halvar Flake. "
Marc Ruef: Adventures in a Decade of Tracking and Consolidating Security Vuln...Area41
The talk discusses the approach, possibilities and difficulties that a vulnerability database maintainer is handling. It will offer real-world insight into almost 15 years of vulnerability database management and a database that covers more than 12.000 entries today. The task didn't get any easier as more and more vulnerabilities get published with increasing complexity but much less information is provided in most original advisories. Correlating this data and compiling the best for the users is a complex task that requires a solid processing and a deep understanding of the technical background.
Marc Ruef is co-founder and member of the board at scip AG in Zürich (http://www.scip.ch). The Swiss company provides consulting services covering security testing and forensic analysis, primarily in the financial sphere. He has written several books, whereas "Die Kunst des Penetration Testing" (The Art of Penetration Testing) is the most well-known (http://www.computec.ch/mruef/?s=dkdpt). He launched and joined several projects, discussing and improving the broad field of information technology. One of these projects is scip VulDB, a free vulnerability database which is covering more than 12.000 entries since 2003.
This talk was originally titled “I'm tired of defenders crying”, but thought better of it. This talk is about the tidbits that I've seen piecemeal across the multitude of businesses big and small that were innovated and highly effective, yet free, or mostly free and stopped me dead in my tracks. Going over a number of free, or nearly free methods, tactics, and software setups that will cut down intrusions significantly that you can deploy or start deployment of the hour after the talk is done.
Mubix is a Senior Red Teamer. His professional experience starts from his time on active duty as United States Marine. He has worked with devices and software that run gambit in the security realm. He has a few certifications, but the titles that he holds above the rest is FATHER, HUSBAND and United States Marine.
This talk shows the possibilities of reversing Android applications. After an introduction about Android issues in the past, Tobias Ospelt explains how he managed to download several thousand Android applications from the Google Market, and which security issues are present in various apps. Apps can be decompiled, altered and recompiled, which means that for most apps it is very easy to steal code or to include malware. Some of the apps use obfuscation to disguise the code, but for example encryption keys can easily be extracted. Small game developers, as well as big companies are not aware of the risk that their code can be decompiled to java and disassembled to smali code. This is how a lot of protection mechanisms can be circumvented, such as licensing (cracking a Game) or corporate solutions (enforcing policies on the mobile). The talk shows how easy everybody can reverse android apps and how encryption keys can be extracted, even when the code is obfuscated. The material is a nice follow-up to the Android talk of Jesse Burns from last year at #days, although this talk is more focused on the apps and shows some more hacks/code/encryption/obfuscation/reversing.
Bio: Tobias Ospelt is working as a security expert and tester for Dreamlab Technologies AG in Bern. He is mainly involved in web application and mobile security penetration tests. Tobias Ospelt joined Dreamlab after having achieved his Master Degree focusing IT-Security, and after having worked as a Research Assistant at the Zurich University of Applied Sciences.
hashdays 2011: Felix 'FX' Lindner - Targeted Industrial Control System Attack...Area41
The talk will show you the techical details of Stuxnet in their full glory and make you appreciate this work of engineering more. Based on a code-level analysis of the Stuxnet PLC payload, the presentation will explain techniques therein that can be used for industrial espionage and sabotage by copycat attackers against competitor's production facilities. Currently recommended defenses, their shortcomings and alternative approaches will also be discussed.
Bio: Felix 'FX' Lindner is founder and technical lead of the Recurity Labs GmbH consulting and research team. He is also the leader of the Phenoelit group and loves to hack pretty much everything with a CPU and some communication, preferably networked. He looks back at 15+ years of (legal) hacking with only a couple Cisco IOS and SAP remote exploits, tools for hacking HP printers and protocol attacks lining the road.
hashdays 2011: Sniping Slowloris - Taking out DDoS attackers with minimal har...Area41
Request delaying attacks like slowloris or RUDY made it clear that killing a webserver via HTTP is trivial. No, it is not trivial. It's even easier than that. One netbook, probably a smartphone, is enough to consume all the threads a big iron server has to offer. In this age of super-smart AJAX services with fat backend application servers exposed on the internet, this is bad news. When the anonymous network attacked, VISA, Mastercard and Swiss Post got a bloody nose out of it. This talk will teach you some basics and then fairly advanced defense methods. This is a hands on guide on configuring the standard defense techniques on Apache including ModSecurity recipes. Furthermore, a custom script will be presented that helps you monitor your server's incoming connection and throw out the attackers. Some of the infos are useful for other server types as well. Along the line you will also pick up useful information on the defense of medieval castles, but that is not the main focus of the talk. Really.
Bio: Christian Folini studied History and Computer science at the Universities of Fribourg, Switzerland and Bern. His postgraduate studies took him to Bielefeld and Berlin. Christian Folini holds a PhD in Medieval History and has ten years of experience with Unix and Webservers in particular.
Christian Folini works as a security consultant and webserver engineer for netnea.com, a contracting Company based in Berne, Switzerland. His customers include Swiss Post, Federal Office of Information Technology (BIT), IBM, Novartis, Cornerbank and Swiss TV. He has several years of experience with ModSecurity installations and developed REMO, a graphical rule editor for ModSecurity. He gave ModSecurity classes at OWASP conferences and contributed to the latest editions of the Center for Internet Security (CIS) Apache Benchmark. Recently, he started to write a series of tutorials on secure enterprise-level Apache deployments with a purely Open Source approach. These tutorials are all in German. See http://www.netnea.com. Christian Folini started to do research on request delaying or slowloris-type DoS/DDoS in 2006, but never published his findings beyond the Apache/ModSecurity mailinglists until Slowloris was released by RSnake in June 2009. Christian Folini's analysis of Slowloris appeared in Linux Weekly News the day his first son was born (and I tell you, finishing the article in time was a tough race). http://lwn.net/Articles/338407/
hashdays 2011: Christian Bockermann - Protecting Databases with TreesArea41
Though publicly known for a long time, SQL injection attacks do not yet seem to have reached their peak – the LulzSec activities in mid 2011 showed the overall presence of applications vulnerable to SQL attacks. Organizations like OWASP and Mitre rank SQL injections as the most dangerous threats to our (web) infrastructures and even SQL injections in SMS text messages have been reported. Vendors of Web Application Firewalls spend enormous e?orts to create patterns to detect SQL injections at the application protocol layer, but attackers spend even more e?orts ?nding evasions of these patterns using various encodings or polymorphic substitutions within SQL. In this talk we will have a look at SQL injections from the syntax level perspective of the SQL language. We exploit the parser component of the database system to produce a syntax tree of the command that has been passed to the database by the web frontend. The resulting tree provides a representation of the command that can be compared to a set of known commands expected to be used by the deployed web application.
Bio: Starting with Linux/network security in 1996, Christian Bockermann has been working in computer security for over 10 years. While working as a Java web-application developer for several years he started concentrating on web-security as primary subject. Since he graduated with a MSc in computer science with an emphasis on Anomaly Detection in Web-Applications, he is currently working on his Ph.D. combining methods of machine learning and artificial intelligence in web-application firewalls and system monitoring. A proposal of his intelligent web-application firewall project has been elected among the top-10 projects of the 2nd GermanIT-Security Award. Alongside to this Ph.D. research, Christian is working as a freelancer in web-security consulting, mostly focused on Apache and ModSecurity. He is also author of several Java tools supplementary to ModSecurity, most prominent being the AuditConsole log-management server for ModSecurity.
hashdays 2011: Ange Albertini - Such a weird processor - messing with x86 opc...Area41
Whether it's for malware analysis, vulnerability research or emulation, having a correct disassembly of a binary is the essential thing you need when you analyze code. Unfortunately, many people are not aware that there are a lot of opcodes that are rarely used in normal files, but valid for execution, but also several common opcodes have rarely seen behaviours, which could lead to wrong conclusions after an improper analysis.
For this research, I decided to go back to the basics and study assembly from scratch, covering all opcodes, whether they're obsolete or brand new, common or undocumented. This helped me to find bugs in all the disassemblers I tried, including the most famous ones. This presentation introduces the funniest aspects of the x86 CPUs, that I discovered in the process, including unexpected or rarely known opcodes and undocumented behavior of common opcodes.
The talk will also cover opcodes that are used in armored code (malware/commercial protectors) that are likely to break tools (disassemblers, analyzers, emulators, tracers,...), and introduce some useful tools and documents that were created in the process of the research.
Bio: Ange Albertini is a reverse-engineering and assembly language enthusiast for around 20 years, and malware analyst for 6 years. He has a technical blog, where he shares experimental sources files, and some infographics that are useful in his daily work.
hashdays 2011: Jean-Philippe Aumasson - Cryptanalysis vs. RealityArea41
Cryptanalysts publish a tremendous number of research articles presenting attacks on ciphers, hash functions, or authentication protocols. However, not all academic attacks pose a threat to the real-world applications where the attacked crypto is deployed. In this talk, we’ll explain why attacks are not always attacks by going through technical subtleties of state-of-the-art cryptanalysis research, which we’ll illustrate with concrete ?eld examples. The topics discussed include related-key attacks, the real security of AES, as well as the role of the human factor.
Bio: Jean-Philippe Aumasson is a cryptographer at Nagravision SA, a world leader in
digital security and conditional access systems. He received a PhD from EPFL in 2009 and authored more than 20 research papers in the ?eld of cryptanalysis. He was co-awarded prizes for his cryptanalysis results, and is the co-inventor of new attacks such as cube testers, zero-sum attacks, tuple attacks, and banana attacks. He is the principal designer of the hash function BLAKE, one of the 5 finalists in NIST’s SHA-3 competition.
PHP Frameworks: I want to break free (IPC Berlin 2024)Ralf Eggert
In this presentation, we examine the challenges and limitations of relying too heavily on PHP frameworks in web development. We discuss the history of PHP and its frameworks to understand how this dependence has evolved. The focus will be on providing concrete tips and strategies to reduce reliance on these frameworks, based on real-world examples and practical considerations. The goal is to equip developers with the skills and knowledge to create more flexible and future-proof web applications. We'll explore the importance of maintaining autonomy in a rapidly changing tech landscape and how to make informed decisions in PHP development.
This talk is aimed at encouraging a more independent approach to using PHP frameworks, moving towards a more flexible and future-proof approach to PHP development.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™UiPathCommunity
In questo evento online gratuito, organizzato dalla Community Italiana di UiPath, potrai esplorare le nuove funzionalità di Autopilot, il tool che integra l'Intelligenza Artificiale nei processi di sviluppo e utilizzo delle Automazioni.
📕 Vedremo insieme alcuni esempi dell'utilizzo di Autopilot in diversi tool della Suite UiPath:
Autopilot per Studio Web
Autopilot per Studio
Autopilot per Apps
Clipboard AI
GenAI applicata alla Document Understanding
👨🏫👨💻 Speakers:
Stefano Negro, UiPath MVPx3, RPA Tech Lead @ BSP Consultant
Flavio Martinelli, UiPath MVP 2023, Technical Account Manager @UiPath
Andrei Tasca, RPA Solutions Team Lead @NTT Data
Builder.ai Founder Sachin Dev Duggal's Strategic Approach to Create an Innova...Ramesh Iyer
In today's fast-changing business world, Companies that adapt and embrace new ideas often need help to keep up with the competition. However, fostering a culture of innovation takes much work. It takes vision, leadership and willingness to take risks in the right proportion. Sachin Dev Duggal, co-founder of Builder.ai, has perfected the art of this balance, creating a company culture where creativity and growth are nurtured at each stage.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Essentials of Automations: Optimizing FME Workflows with ParametersSafe Software
Are you looking to streamline your workflows and boost your projects’ efficiency? Do you find yourself searching for ways to add flexibility and control over your FME workflows? If so, you’re in the right place.
Join us for an insightful dive into the world of FME parameters, a critical element in optimizing workflow efficiency. This webinar marks the beginning of our three-part “Essentials of Automation” series. This first webinar is designed to equip you with the knowledge and skills to utilize parameters effectively: enhancing the flexibility, maintainability, and user control of your FME projects.
Here’s what you’ll gain:
- Essentials of FME Parameters: Understand the pivotal role of parameters, including Reader/Writer, Transformer, User, and FME Flow categories. Discover how they are the key to unlocking automation and optimization within your workflows.
- Practical Applications in FME Form: Delve into key user parameter types including choice, connections, and file URLs. Allow users to control how a workflow runs, making your workflows more reusable. Learn to import values and deliver the best user experience for your workflows while enhancing accuracy.
- Optimization Strategies in FME Flow: Explore the creation and strategic deployment of parameters in FME Flow, including the use of deployment and geometry parameters, to maximize workflow efficiency.
- Pro Tips for Success: Gain insights on parameterizing connections and leveraging new features like Conditional Visibility for clarity and simplicity.
We’ll wrap up with a glimpse into future webinars, followed by a Q&A session to address your specific questions surrounding this topic.
Don’t miss this opportunity to elevate your FME expertise and drive your projects to new heights of efficiency.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...UiPathCommunity
💥 Speed, accuracy, and scaling – discover the superpowers of GenAI in action with UiPath Document Understanding and Communications Mining™:
See how to accelerate model training and optimize model performance with active learning
Learn about the latest enhancements to out-of-the-box document processing – with little to no training required
Get an exclusive demo of the new family of UiPath LLMs – GenAI models specialized for processing different types of documents and messages
This is a hands-on session specifically designed for automation developers and AI enthusiasts seeking to enhance their knowledge in leveraging the latest intelligent document processing capabilities offered by UiPath.
Speakers:
👨🏫 Andras Palfi, Senior Product Manager, UiPath
👩🏫 Lenka Dulovicova, Product Program Manager, UiPath
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
2. Gynvael Coldwind
Security researcher, Google
Dragon Sector captain
likes hamburgers
http://gynvael.coldwind.pl/
All opinions expressed during this presentation are mine and mine alone.
They are not opinions of my lawyer, barber and especially not my employer.
9. file names in ZIP
a couple of files with the same name?
update:
for an awesome example see:
Android: One Root to Own Them All
Jeff Forristal / Bluebox
(https://media.blackhat.com/us-13/US-13-Forristal-Android-One-Root-to-Own-Them-All-Slides.pdf)
11. Let's start with simple stuff -
the ZIP format
A ZIP file begins with letters PK.
12. Let's start with simple stuff -
the ZIP format
A ZIP file begins with letters PK.
WRONG
13. ZIP - second attempt :)
.zip file
last 65557 bytes of the file
the "header" is
"somewhere" here
PK56...
14. ZIP - "somewhere" ?!
4.3.16 End of central directory record:
end of central dir signature 4 bytes (0x06054b50)
number of this disk 2 bytes
number of the disk with the
start of the central directory 2 bytes
total number of entries in the
central directory on this disk 2 bytes
total number of entries in
the central directory 2 bytes
size of the central directory 4 bytes
offset of start of central
directory with respect to
the starting disk number 4 bytes
.ZIP file comment length 2 bytes
.ZIP file comment (variable size)
you
begin
ZIP
parsing
from
this; it MUST
be
at the end
of the file
$0000-$FFFF
0-65535
22bajty
Total: from 22 to 65557 bytes
(aka: PK56 magic will be somewhere between EOF-65557 and EOF-22)
15. ZIP - looking for the "header"?
"From the START"
Begin at EOF-65557,
and move forward.
"From the END"
(ZIPs usually don't have comments)
Begin at EOF-22,
and move backward.
PK56...
"somewhere"
PK56...
"somewhere"
17. ZIP Format - LFH
4.3.7 Local file header:
local file header signature 4 bytes (0x04034b50)
version needed to extract 2 bytes
general purpose bit flag 2 bytes
compression method 2 bytes
last mod file time 2 bytes
last mod file date 2 bytes
crc-32 4 bytes
compressed size 4 bytes
uncompressed size 4 bytes
file name length 2 bytes
extra field length 2 bytes
file name (variable size)
extra field (variable size)
file data (variable size)
randomstuff
PK34... LFH + data
Each file/directory in a ZIP has LFH + data.
18. ZIP Format - CDH
[central directory header n]
central file header signature 4 bytes (0x02014b50)
version made by 2 bytes
version needed to extract 2 bytes
general purpose bit flag 2 bytes
compression method 2 bytes
last mod file time 2 bytes
last mod file date 2 bytes
crc-32 4 bytes
compressed size 4 bytes
uncompressed size 4 bytes
file name length 2 bytes
extra field length 2 bytes
file comment length 2 bytes
disk number start 2 bytes
internal file attributes 2 bytes
external file attributes 4 bytes
relative offset of local header 4 bytes
file name (variable size)
extra field (variable size)
file comment (variable size)
similarstufftoLFH
PK21... CDH
Each file/directory has a CDH entry in the Central Directory
thanks to the
redundancy you
can recover LFH
using CDH, or
CDH using LFH
19. ZIP - a complete file
PK34... LFH + data PK56...EOCDPK21... CDH
Files (header+data) List of files
(and pointers)
20. ZIP - a complete file (continued)
PK34... LFH + data PK56...EOCDPK21... CDH
PK34... LFH + data PK56...EOCDPK21... CDH
If the list of the files has pointers to files...
... the ZIP structure can be more relaxed.
21. ZIP - a complete file (continued)
PK56...EOCDPK21... CDH PK34... LFH + data
file comment (variable size)
You can even do an "inception"
(some parsers may allow EOCD(CHD(LFH)))
22. And now back
to our show!
(we were looking
for the EOCD)
Larch
Something completely different
23. ZIP - looking for the "header"?
"stream"
Let's ignore EOCD!
(it's sometimes faster)
(99.9% of ZIPs out there can be parsed this way)
PK34... LFH + data PK34... LFH + data PK34... LFH + data
(single "files" in an archive)
PK56...
(who cares...)
24. ZIP - looking for the "header"?
"aggressive stream"
We ignore the "garbage"!
(forensics)
PK34... LFH + data PK34... LFH + data PK34... LFH + data
(single "files" in an archive)
PK56...
(who cares...)
47. “Optional Content Configuration”
● principles
○ define layered content via various /Forms
○ enable/disable layers on viewing/printing
● no warning when printing
● “you can see the preview!”
○ bypass preview by keeping page 1 unchanged
○ just do a minor change in the file
PDF Layers 1/2
48. ● it’s Adobe only
○ what’s displayed varies with readers
○ could be hidden via previous schizophrenic trick
● it was in the specs all along
○ very rarely used
○ can be abused
PDF Layers 2/2
50. FILE HEADER
INFO HEADER
PIXEL DATA
offset 0
offset N
bfOffBits
bfOffBits
Specifies the offset, in
bytes, from the
BITMAPFILEHEADER
structure to the bitmap
bits
(MSDN)
51. FILE HEADER
INFO HEADER
PIXEL DATA
(secondary)
offset 0
offset N
bfOffBits
bfOffBits
Specifies the offset, in
bytes, from the
BITMAPFILEHEADER
structure to the bitmap
bits
(MSDN)
PIXEL DATA
● Some image
viewers ignore
bfOffBits and look
for data
immediately after
the headers.
53. BMP
Trick 2
Something I've learnt about because it spoiled my steg100
task for a CTF (thankfully during testing).
54. BMP compression & palette
Run-Length Encoding (each box is 1 byte):
Length
>0
Palette Index
(color)
Length
0
End of Line
0
Length
0
End of Bitmap
1
Length
0
Move Cursor
2
X offset Y offset
Length
0
RAW Length
>2
Palette Index
(color)
Palette Index
(color)
...
55. BMP compression & palette
Question: If the opcodes below allow jump over pixels and
set no data, how will the pixels look like?
Hint: Please take a look at the presentation title :)
Length
0
End of Line
0
Length
0
End of Bitmap
1
Length
0
Move Cursor
2
X offset Y offset
56. Option 1
The missing data will be filled with background color.
(index 0 in the palette)
64. Relocations on relocations
Type 4
HIGH_ADJ -- -- ✓
Type 9
MIPS_JMPADDR16
IA64_IMM64
MACHINE_SPEC_9
32 bit 64 bit ✗
Type 10
DIR64
✓ ✓ ✓
as
seen
in
PoC
||G
TFO
68. GIF
GIF can be made of many small images.
If "frame speed" is defined, these are frames instead
(and the first frame is treated as background).
x
x
x y
yy
69. GIF
Certain parsers (e.g. browsers) treat "images" as "frames"
regardless of "frame speed" not being defined.
Frame 1 Frame 2 Frame 3
70. GIF
Certain parsers (e.g. browsers) treat "images" as "frames"
regardless of "frame speed" not being defined.
Frame 1 Frame 2 Frame 3
75. it was too simple
● WinRar: different behavior when viewing or
extracting
○ opening/failing
○ opening/’nothing’
● Adobe: viewing ⇔printing
○ well, it’s a feature
78. Failures / Ideas / WIP
● screen ⇔ printer
○ embedded color profiles?
● JPG
○ IrfanView vs the world
● Video
○ FLV: video fails but still plays sound ?
81. Conclusion
● such a mess
○ specs are messy
○ parsers don’t even respect them
● no CVE/blaming for parsing errors?
○ no security bug if no crash or exploit :(
PoCs and slides: http://goo.gl/Sfjfo4
84. Flash (SWF) vs Prezi
vs
Bonus Round
(not a fully schizophrenic problem in popular
parsers, that's why it's here)
85. Prezi SWF sanitizer
Prezi allows embedding SWF files.
But it first sanitizes them.
It uses one of two built-in SWF parsers.
There was a problem in one of them:
● It allowed huge chunk sizes.
● It just "jumped" (seeked) over these chunk...
● ...which resulted in an integer overflow...
● ...and this lead to schizophrenia.
● As the sanitizer saw a good SWF...
● ...Adobe Flash got its evil twin brother.
86. Prezi SWF sanitizer
"good" SWF sent to sanitizer
and its evil twin brother
kudos to the sanitizer!
Fixed in Q1 2014. For details see:
"Integer overflow into XSS and other fun stuff - a case study of a bug bounty"
http://gynvael.coldwind.pl/?id=533