Schizophrenic files

3 min read Original article ↗

Transcript

  3. Ange Albertini Reverse engineering & Visual Documentations http://corkami.com

  6. ZIP archives

  8. ZIP trick 1 a glitch in the matrix

  9. file names in ZIP a couple of files with the

    same name? update: for an awesome example see: Android: One Root to Own Them All Jeff Forristal / Bluebox (https://media.blackhat.com/us-13/US-13-Forristal-Android-One-Root-to-Own-Them-All-Slides.pdf)

  10. ZIP trick 2 abstract kitty

  14. ZIP - "somewhere" ?! 4.3.16 End of central directory record:

    end of central dir signature 4 bytes (0x06054b50) number of this disk 2 bytes number of the disk with the start of the central directory 2 bytes total number of entries in the central directory on this disk 2 bytes total number of entries in the central directory 2 bytes size of the central directory 4 bytes offset of start of central directory with respect to the starting disk number 4 bytes .ZIP file comment length 2 bytes .ZIP file comment (variable size) you begin ZIP parsing from this; it MUST be at the end of the file $0000-$FFFF 0-65535 22 bajty Total: from 22 to 65557 bytes (aka: PK\5\6 magic will be somewhere between EOF-65557 and EOF-22)

  17. ZIP Format - LFH 4.3.7 Local file header: local file

    header signature 4 bytes (0x04034b50) version needed to extract 2 bytes general purpose bit flag 2 bytes compression method 2 bytes last mod file time 2 bytes last mod file date 2 bytes crc-32 4 bytes compressed size 4 bytes uncompressed size 4 bytes file name length 2 bytes extra field length 2 bytes file name (variable size) extra field (variable size) file data (variable size) random stuff PK\3\4... LFH + data Each file/directory in a ZIP has LFH + data.

  18. ZIP Format - CDH [central directory header n] central file

    header signature 4 bytes (0x02014b50) version made by 2 bytes version needed to extract 2 bytes general purpose bit flag 2 bytes compression method 2 bytes last mod file time 2 bytes last mod file date 2 bytes crc-32 4 bytes compressed size 4 bytes uncompressed size 4 bytes file name length 2 bytes extra field length 2 bytes file comment length 2 bytes disk number start 2 bytes internal file attributes 2 bytes external file attributes 4 bytes relative offset of local header 4 bytes file name (variable size) extra field (variable size) file comment (variable size) similar stuff to LFH PK\2\1... CDH Each file/directory has a CDH entry in the Central Directory thanks to the redundancy you can recover LFH using CDH, or CDH using LFH

  25. Let's test the parsers! abstract.zip

  27. abstract.zip from zipfile import ZipFile ZipFile("abstract.zip", "r"). printdir()

  30. abstract.zip

  38. Portable Document File

  39. http://youtu.be/JQrBgVRgqtc?t=11m15s https://speakerdeck.com/ange/pdf-secrets-hiding-and-revealing-secrets-in-pdf-documents?slide=44

  42. % trailer <</Root …>> trailer <</Root …>> <</Root …>>

  44. sometimes, it’s in the specs obscurity via over-specification?

  45. notice anything unusual?

  46. WYSIWYG

  57. Option 2 The missing data will be black.

  59. PNG

  61. different images depending on which PLTE chunk is used

  62. Portable Executable

  65. Relocation-based PE Schizophren

  66. Julian Bangert, Sergey Bratus -- ELF Eccentricities https://www.youtube.com/watch?v=4LU6N6THh2U

  74. same-tool schizophrenia 1 file + 1 tool = 2 behaviors

  76. Failures / Ideas / WIP

  77. Screen ⇔ Printer schizophren via color profiles?

  80. Conclusion

  85. Prezi SWF sanitizer Prezi allows embedding SWF files. But it

    first sanitizes them. It uses one of two built-in SWF parsers. There was a problem in one of them: • It allowed huge chunk sizes. • It just "jumped" (seeked) over these chunk... • ...which resulted in an integer overflow... • ...and this lead to schizophrenia. • As the sanitizer saw a good SWF... • ...Adobe Flash got its evil twin brother.