Schizophrenic files v2
2 likes1,338 views
This document summarizes a talk about abusing file format parsers to cause different parsing behaviors, known as "schizophrenia". It describes techniques used across various formats like ZIP, BMP, PDF, GIF and PE files that can result in files being parsed or interpreted differently depending on factors like the parsing order, which part of a program does the parsing, or which specifications are followed. The goal is to fool parsers without causing failures by leveraging ambiguity and flexibility in file specifications.
Schizophrenic files v2
- 1. Schizophrenic files Ange Albertini MetaRheinMainConstructionDays MRMCD 5-7 september 2014 HS Darmstadt www.mrmcd.net 2014/09/05
- 2. This talk is a collaboration with: Gynvael Coldwind Security researcher,Google Dragon Sector captain likes hamburgers http://gynvael.coldwind.pl/
- 3. Ange Albertini reverse engineering & visual documentations @angealbertini [email protected] http://www.corkami.com
- 5. 1 file, 2 programs ⇒ 2 different contents No active detection of the program in the file
- 6. Fooling, not failing Both programs will load the file correctly: No reported warning or error, no exploitation.
- 7. Abusing parsers for ● fun ● bypassing security ○ same-origin policy ○ evade detection ○ exfiltration ○ signing ■ Android Master Key
- 8. ZIP
- 9. excerpt from Gynvael's talk: "Dziesięć tysięcy pułapek: ZIP, RAR, etc." (http://gynvael.coldwind.pl/?id=523)
- 10. ZIP archives
- 11. ZIP structures are parsed from the end.
- 12. File names are actually duplicated.
- 13. Why this weird structure?
- 14. ZIP archives were commonly read & written on the fly over multiple floppies.
- 15. Minimize floppy swaps ● creation a. create one LFH per file Floppy full ⇒ start a new LFH on the next floppy b. when all files are finished, write CDs sequence (1/file) c. when all CDs are written, write the EoCD ● extraction a. insert last floppy (contains the EoCD) b. insert the floppy with 1st CD (often, the last floppy contains EoCD + all CDs) c. insert the corresponding LFH’s first floppy insert next floppies if required
- 16. ZIP was very useful, but now it’s awkward. Newer archive formats are parsed top-down.
- 17. Position in the file
- 18. Prepended and appended data is tolerated...
- 19. ...but not too much! (for obvious performance reason)
- 20. Duplicating the (relatively small) EoCD increases compatibility.
- 22. If you concatenate 2 archives...
- 23. ...if you parse bottom-up (standard), you find the 2nd one...
- 24. ...but you will get the other archive if you parse top-down.
- 26. You could parse everything nicely...
- 27. ...but in the end, only the Local File Headers matter.
- 28. 1 file = 1 Local File Header
- 29. Since most ZIP archives start with a sequence of Local File Headers...
- 30. You can parse them top-down (until a break) and ignore the CD and EoCD.
- 31. Standard parsing: bottom-up + all headers
- 32. “Efficient” parsing: top-down + LFHs only Not standard, but good enough in most cases.
- 33. Nowadays, most ZIPs are a sequence of LFHs from the start
- 35. The EoCD contains an optional comment field...
- 36. ...that can contain a complete archive !
- 37. Recap ● Parsing direction: ○ standard is bottom-up ○ parsing LFHs from the start would work in most cases ● ZIP should be located near the end of the file ○ or at least, its EoCD ● An archive comment can contain another complete archive
- 38. Let's test the parsers! abstract.zip
- 39. 4 LFHs, 4 ways to parse this archive:
- 40. 1/ you parse it bottom-up
- 41. 2/ you parse it top-down
- 42. 3/ look for LFHs from the start (until a break)
- 43. 4/ scan for LFHs aggressively (you get all four)
- 47. PDF Trick #1 trailers
- 48. trailer ⇒ root object ⇒ complete document
- 49. … … … a line comment - a correct trailer - a corrupted trailer
- 50. Each reader sees a different trailer.
- 51. PDF parsing Each reader sees a completely different document 3 co-existing documents, all parsed through Viewers tolerance makes foreign elements ignored
- 52. Also available in PDF/A flavor (OK for Adobe Reader, but not for Preflight)
- 53. sometimes, it’s in the specs... ...but who knows all of them ? (obscurity via over-specification)
- 55. This document contains layers. (an advanced feature)
- 56. What you see is not what you’ll get...
- 57. PDF Layers 1/2 “Optional Content Configuration” ● principles ○ define layered content via various /Forms ○ enable/disable layers on viewing/printing ● no warning when printing ● “you can see the preview!” ○ bypass preview by keeping page 1 unchanged ○ just do a minor change in the file
- 58. PDF Layers 2/2 ● it’s Adobe only ○ what’s displayed varies with readers ○ could be hidden via previous schizophrenic trick ● it was in the specs all along ○ very rarely used ○ can be abused with no warning
- 59. BMP
- 60. BMP A pointer to some information that usually comes next… What could go wrong...
- 61. BMP Trick #1: ignoring the data pointer getting data right after the header getting data via the pointer (standard)
- 62. Trick #2: Run-Length Encoding
- 63. BMP RLE trick RLE structure (each box is 1 byte) Length >0 Palette Index (color) Length 0 End of Line 0 Length 0 End of Bitmap 1 Length 0 Move Cursor 2 X offset Y offset Length 0 RAW Length >2 Palette Index (color) Palette Index (color) ...
- 64. BMP RLE trick If you just skip pixels, what is their color? Length 0 End of Line 0 Length 0 End of Bitmap 1 Length 0 Move Cursor 2 X offset Y offset
- 65. Option 1 The missing data will be filled with background color. (palette index 0)
- 66. Option 2 The missing data will be black.
- 67. Option 3 The missing data will be transparent.
- 68. PNG Portable Network Graphics
- 69. Combined data + 2 palettes Same data chunk combining 2 images via 2 palettes cute PoC by @reversity “There shall not be more than one PLTE chunk”
- 70. Different images depending on which PLTE chunk is used
- 72. the PE Loader PE = complex + badly documented ● fail or fool external tools ? too easy... ● fooling Windows is much harder: ○ Windows’ loader usually closes holes ⇒ older PEs just not working anymore
- 73. PE Trick #1 Data directory loading order
- 74. Pointing TLS’ AddressOfIndex to an Import descriptor
- 75. W7: TLS is loaded first ⇒ AoI’s address set to 0 ⇒ Imports descriptors’s sequence is truncated before loading
- 76. XP: Imports are loaded first - all descriptors are parsed TLS is then parsed - descriptors are not relevant anymore
- 77. PE Trick #2 Relocations
- 78. Relocations: patching absolute addresses to solve address space conflicts
- 79. Vista W8 Relocations types XP Type 4 HIGH_ADJ -- -- ✓ Type 9 MIPS_JMPADDR16 IA64_IMM64 MACHINE_SPEC_9 32 bit 64 bit ✗
- 80. Relocations on relocations Type 4 HIGH_ADJ -- -- ✓ Type 9 MIPS_JMPADDR16 IA64_IMM64 MACHINE_SPEC_9 32 bit 64 bit ✗ Type 10 DIR64 ✓ ✓ ✓ as seen in PoC||GTFO #1
- 82. Julian Bangert, Sergey Bratus -- ELF Eccentricities https://www.youtube.com/watch?v=4LU6N6THh2U
- 83. GIF
- 84. GIF A GIF is made of blocks. if no animation speed is defined, they should all be displayed at once.
- 85. GIF If a frame speed is defined, then: first block = background next blocks = animation frames Background (from block 1) Frame 1 (with block 2) Frame 2 (with block 3)
- 86. GIF Frame 1 Frames 2-10001 1x1 px Frame 10002 1 complete pic + 10.000 pixels + 1 complete pic
- 87. Displaying all blocks at once (standard) Forcing animation (even if no frame speed is defined)
- 88. same-tool schizophrenia 1 file + 1 tool = 2 behaviors (in different sub-components)
- 89. Because it was too simple... ● WinRar: viewing ⇔ extracting ○ opening/failing ○ opening/’nothing’ ● Adobe: viewing ⇔ printing ○ well, it’s a feature
- 90. Failures & Ideas
- 91. Failures & Ideas ● screen ⇔ printer ○ embedded color profiles? ● JPG ○ IrfanView vs the world ● Video ○ FLV: early data pointer, like BMP PoC: video fails but plays sound
- 92. PNG Various ancillary chunks (rendering level) ● partially supported: ○ gamma ○ transparency (for palettes) ● never supported? ○ significant bits ○ chromacities ● always supported? ○ physical size
- 93. Conclusion
- 94. We tend to take our own shortcuts.
- 95. Conclusion ● such a mess ○ specs are messy ■ unclear ■ historical reasons ○ parsers don’t even respect them (particularly when there is an easy shortcut) ○ official tools “forced” to be tolerant ■ They’re even trying to repair corrupted files (!) ● no CVE/blaming for parsing errors? ○ no security bug if no crash or exploit :(
- 96. Schizophrenia symptoms ● different parsing (seeing different data) ○ BMP: ignoring data pointer ○ ZIP: different parsing algorithm & directions ○ PE: different data directory loading order ○ PDF: different trailer parsing ● different interpretation (same data) ○ GIF: ignoring animation speed ○ BMP RLE: using different default color ○ PE: different relocations implementation ○ PNG: using different palette ○ PDF: conditional layers
- 97. ACK @gynvael @reversity @travisgoodspeed @sergeybratus qkumba @internot @pdfkungfoo @j00ru ise ds vx, Mulander Felix Groebert, Salvation
- 98. @angealbertini corkami.com Damn, that's the second time those alien bastards shot up my ride!