a binary chimera3 headers & 1 data body in a single file

Ange Albertini, March 2014

chimera kʌɪˈmɪərə,kɪ-/noun

1. (in Greek mythology) a fire-breathing female monster with a lion's head, a goat's body, and a serpent's tail.

what is it ?

a file that is:● a JPG● a PDF● a ZIP

that’s all?

is it just 3 stacked formats ?

if only >:-)

a binary chimera

the image data is present only once:all 3 file formats rely on the same body.

1 data body, 3 different headers (PDF/ZIP/JPG)→ chimera

why?

● why not!● just a PoC for me

○ but maybe a fixed bug for you

it shows that● too many file format specs suck!

○ which decreases our security

starting ideas

● PDF can use unmodified JPG files○ we just need to duplicate the JPG header○ and trick the JPG header to find its data ‘further’ than

expected● ZIP can store data unmodified

○ we just need to trick ZIP structure to find its file data within the PDF

magic signature

● JPEG FF D8 offset 0● PDF %PDF-1.x within range 0-1024● ZIP PK\x03\x04 anywhere

→ our file starts with FF D8 at offset 0we need to ‘hide’ the rest

hiding PDF/ZIP data from JPEG

● JPEG is chunk-based (called segments)→ add comment segments to cover PDF/ZIP

syntax:FF FE <length:+2> <data>

hiding JPEG/ZIP data from PDF

● PDF is not parsed until signature is met→ the JPEG header is ignored

● PDF is object-based● dummy stream objects to cover ZIP/JPG

PDF stream object

<unused number> 0 obj<<>>stream<data>endstreamendobj

Problem: in a ZIP,data is following LocalFileHeader

start of PDF image object overlaps LocalFileHeader :(

Solution:ZIP contains 2 filenames entries:● in CentralDirectory (important one)● in each LocalFileHeader (discardable)→ abused LFH’s filename to overlap PDF object start (not 100% compatible)

elegance++

● cover extra data after JPEG end with superfluous comment segment

● covert extra PDF data by extending ZIP archive comment (in EoCD)

summary

icing on the cake

● all written by hand● generated in ASM● not specific to my JPEG/PDF/ZIP data

as usual ;)

partial failure

not fully “compatible”● ZIP LFH name corrupted :(

○ 7z, ZipFile don’t support it● Adobe Reader blacklists JPEGs-starting PDFs→ need to slightly corrupt JPEG header

→ some JPEG viewers don’t support it :(JPEG corrupted to let PDF open under Adobe

easy to fix, would break Adobe

Conclusion

● yet another kind of file format puzzle○ new?

● chimeras aren’t legend anymore :p● source & PoC

○ http://corkami.googlecode.com/svn/trunk/src/chimera

ACK

Binary masters● Julia Wolf, Jonas Magazinius, Gynvael ColdwindPoC||GTFO neighbors● Travis Goodspeed, Sergey BratusFeedbackers● @munin @LeBurek @rfc1459 @InfoSec208Promising jedi ;)● Dominique Bongard

Questions/suggestions?@angealbertini

Want more?read PoC||GTFO !