![Page 1: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/1.jpg)
2014/06/02Zürich, Switzerland
Schizophrenicfiles
Ange AlbertiniGynvael Coldwind
Schizophrenic filesArea41
![Page 2: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/2.jpg)
Gynvael ColdwindSecurity researcher, GoogleDragon Sector captainlikes hamburgershttp://gynvael.coldwind.pl/
All opinions expressed during this presentation are mine and mine alone. They are not opinions of my lawyer, barber and especially not my employer.
![Page 3: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/3.jpg)
Ange AlbertiniReverse engineering&Visual Documentationshttp://corkami.com
![Page 4: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/4.jpg)
1 file + 2 tools⇒ 2 different documents
No active detection in the file.
![Page 5: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/5.jpg)
abusing parsers for
● fun
● bypassing security○ same-origin policy○ evade detection○ exfiltration○ signing
■ Android Master Key
![Page 6: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/6.jpg)
ZIP archives
![Page 7: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/7.jpg)
excerpt from Gynvael's talk:"Dziesięć tysięcy pułapek: ZIP, RAR, etc."
(http://gynvael.coldwind.pl/?id=523)
![Page 8: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/8.jpg)
ZIPtrick 1
a glitch in the matrix
![Page 9: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/9.jpg)
file names in ZIP
a couple of files with the same name?
update: for an awesome example see:
Android: One Root to Own Them All Jeff Forristal / Bluebox
(https://media.blackhat.com/us-13/US-13-Forristal-Android-One-Root-to-Own-Them-All-Slides.pdf)
![Page 10: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/10.jpg)
ZIPtrick 2
abstract kitty
![Page 11: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/11.jpg)
Let's start with simple stuff -the ZIP format
A ZIP file begins with letters PK.
![Page 12: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/12.jpg)
Let's start with simple stuff -the ZIP format
A ZIP file begins with letters PK.
WRONG
![Page 13: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/13.jpg)
ZIP - second attempt :)
.zip file
last 65557 bytes of the filethe "header" is
"somewhere" here
PK\5\6...
![Page 14: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/14.jpg)
ZIP - "somewhere" ?!4.3.16 End of central directory record:
end of central dir signature 4 bytes (0x06054b50) number of this disk 2 bytes number of the disk with the start of the central directory 2 bytes total number of entries in the central directory on this disk 2 bytes total number of entries in the central directory 2 bytes size of the central directory 4 bytes offset of start of central directory with respect to the starting disk number 4 bytes .ZIP file comment length 2 bytes .ZIP file comment (variable size)
you begin ZIP parsing
from this; it MUST be
at the end of the file
$0000-$FFFF0-65535
22 b
ajty
Total: from 22 to 65557 bytes(aka: PK\5\6 magic will be somewhere between EOF-65557 and EOF-22)
![Page 15: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/15.jpg)
ZIP - looking for the "header"?
"From the START"Begin at EOF-65557,
and move forward.
"From the END"(ZIPs usually don't have comments)
Begin at EOF-22,and move backward.
PK\5\6...
"somewhere"
PK\5\6...
"somewhere"
![Page 16: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/16.jpg)
The show will continue in a
moment.
LarchSomething completely different
![Page 17: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/17.jpg)
ZIP Format - LFH 4.3.7 Local file header:
local file header signature 4 bytes (0x04034b50) version needed to extract 2 bytes general purpose bit flag 2 bytes compression method 2 bytes last mod file time 2 bytes last mod file date 2 bytes crc-32 4 bytes compressed size 4 bytes uncompressed size 4 bytes file name length 2 bytes extra field length 2 bytes
file name (variable size) extra field (variable size) file data (variable size)
rand
om s
tuff
PK\3\4... LFH + data
Each file/directory in a ZIP has LFH + data.
![Page 18: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/18.jpg)
ZIP Format - CDH [central directory header n]
central file header signature 4 bytes (0x02014b50) version made by 2 bytes version needed to extract 2 bytes general purpose bit flag 2 bytes compression method 2 bytes last mod file time 2 bytes last mod file date 2 bytes crc-32 4 bytes compressed size 4 bytes uncompressed size 4 bytes file name length 2 bytes extra field length 2 bytes file comment length 2 bytes disk number start 2 bytes internal file attributes 2 bytes external file attributes 4 bytes relative offset of local header 4 bytes
file name (variable size) extra field (variable size) file comment (variable size)
sim
ilar s
tuff
to L
FH
PK\2\1... CDH
Each file/directory has a CDH entry in the Central Directory
thanks to the redundancy you can recover LFH
using CDH, or CDH using LFH
![Page 19: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/19.jpg)
ZIP - a complete file
PK\3\4... LFH + data PK\5\6...EOCDPK\2\1... CDH
Files (header+data) List of files(and pointers)
![Page 20: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/20.jpg)
ZIP - a complete file (continued)
PK\3\4... LFH + data PK\5\6...EOCDPK\2\1... CDH
PK\3\4... LFH + data PK\5\6...EOCDPK\2\1... CDH
If the list of the files has pointers to files...... the ZIP structure can be more relaxed.
![Page 21: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/21.jpg)
ZIP - a complete file (continued)
PK\5\6...EOCDPK\2\1... CDH PK\3\4... LFH + data
file comment (variable size)
You can even do an "inception"(some parsers may allow EOCD(CHD(LFH)))
![Page 22: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/22.jpg)
And now back to our show!
(we were looking for the EOCD)
LarchSomething completely different
![Page 23: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/23.jpg)
ZIP - looking for the "header"?
"stream"Let's ignore EOCD!
(it's sometimes faster)(99.9% of ZIPs out there can be parsed this way)
PK\3\4... LFH + data PK\3\4... LFH + data PK\3\4... LFH + data
(single "files" in an archive)
PK\5\6...
(who cares...)
![Page 24: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/24.jpg)
ZIP - looking for the "header"?
"aggressive stream"We ignore the "garbage"!
(forensics)
PK\3\4... LFH + data PK\3\4... LFH + data PK\3\4... LFH + data
(single "files" in an archive)
PK\5\6...
(who cares...)
![Page 25: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/25.jpg)
Let's test the parsers!abstract.zip
![Page 26: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/26.jpg)
EOCD
LFH+data
CDH
EOCD
LFH+data
CDH
LFH+data
LFH+data
syntax breaker
yellow is a comment
of the green
archive
stream
aggressivestream
start-first
end-first
abstract.zip
![Page 27: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/27.jpg)
abstract.zip
from zipfile import ZipFileZipFile("abstract.zip", "r").printdir()
![Page 28: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/28.jpg)
abstract.zip<?php$za = new ZipArchive();$za->open('abstract.zip');for ($i=0; $i<$za->numFiles;$i++) { echo "index: $i\n"; print_r($za->statIndex($i));}echo "numFile:" . $za->numFiles . "\n";
![Page 29: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/29.jpg)
abstract.zipimport java.io.FileInputStream;import java.io.InputStream;import java.util.zip.ZipEntry;import java.util.zip.ZipInputStream;
public class zip { public static void main(String args[]) throws java.io.IOException, java.io.FileNotFoundException { InputStream f = new FileInputStream("abstract.zip"); ZipInputStream z = new ZipInputStream(f);
ZipEntry e; while((e = z.getNextEntry()) != null) { System.out.println(e.getName()); } }}
![Page 30: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/30.jpg)
abstract.zip
![Page 31: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/31.jpg)
EOCD
CDH
EOCD
readme_StartFirst.txtCDH
readme_AggressiveStream.txt
readme_Stream.txt
syntax breaker
abstract.zip
readme_EndFirst.txt
Total Commander 8.01UnZip 6.00 (Debian)Midnight CommanderWindows 7 ExplorerALZipKGB Archiver7-zipb1.orgPython zipfileJSZipC# DotNetZipperl Archive::ZipJeffrey's Exif Viewer WOBZIPGNOME File RollerWinRAROSX UnZipzip.vim v25Emacs Zip-Archive modeAda Zip-Ada v45Go archive/zipPharo smalltalk 2.0 ZipArchiveUbuntu lessJava ZipFile
![Page 32: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/32.jpg)
EOCD
CDH
EOCD
readme_StartFirst.txtCDH
readme_AggressiveStream.txt
readme_Stream.txt
syntax breaker
abstract.zip
readme_EndFirst.txt
PHP ZipArchivePHP zip_open ...PHP zip:// wrappertcl + tclvfs + tclunzip
![Page 33: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/33.jpg)
EOCD
CDH
EOCD
readme_StartFirst.txtCDH
readme_AggressiveStream.txt
readme_Stream.txt
syntax breaker
abstract.zip
readme_EndFirst.txt
Ruby rubyzip2Java ZipArchiveInputStreamjava.util.zip.ZipInputStream
![Page 34: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/34.jpg)
EOCD
CDH
EOCD
readme_StartFirst.txtCDH
readme_AggressiveStream.txt
readme_Stream.txt
syntax breaker
abstract.zip
readme_EndFirst.txt
binwalk (found all)
![Page 35: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/35.jpg)
EOCD
CDH
EOCD
readme_StartFirst.txtCDH
readme_AggressiveStream.txt
readme_Stream.txt
syntax breaker
abstract.zip - result summary
readme_EndFirst.txt
Thanks!● Mulander● Felix Groebert● Salvation● j00ru
![Page 36: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/36.jpg)
abstract.zip - who cares?
● verify files via End-First
● unpack via Stream
Oops.
![Page 37: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/37.jpg)
abstract.zip - AV
EICAR test results (using VT):● most End-First● some Aggressive● Stream-only:
○ VBA32○ NANO-Antivirus○ Norman○ F-Prot○ Agnitum○ Commtouch
https://docs.google.com/spreadsheet/ccc?key=0Apy5AGVPzpIOdDRPTFNJQXpqNkdjUzl4SE80c1kwdkE&usp=sharing
![Page 38: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/38.jpg)
Portable Document File
![Page 39: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/39.jpg)
http://youtu.be/JQrBgVRgqtc?t=11m15shttps://speakerdeck.com/ange/pdf-secrets-hiding-and-revealing-secrets-in-pdf-documents?slide=44
![Page 40: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/40.jpg)
![Page 41: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/41.jpg)
![Page 42: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/42.jpg)
% trailer <</Root …>>
trailer <</Root …>>
<</Root …>>
![Page 43: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/43.jpg)
![Page 44: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/44.jpg)
sometimes,it’s in the specs
obscurity via over-specification?
![Page 45: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/45.jpg)
notice anything unusual?
![Page 46: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/46.jpg)
WYSIWYG
![Page 47: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/47.jpg)
“Optional Content Configuration”● principles
○ define layered content via various /Forms○ enable/disable layers on viewing/printing
● no warning when printing
● “you can see the preview!”○ bypass preview by keeping page 1 unchanged○ just do a minor change in the file
PDF Layers 1/2
![Page 48: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/48.jpg)
● it’s Adobe only○ what’s displayed varies with readers○ could be hidden via previous schizophrenic trick
● it was in the specs all along○ very rarely used○ can be abused
PDF Layers 2/2
![Page 49: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/49.jpg)
BMPTrick 1
(originally published in Gynvael's "Format BMP okiem hakera" article in 2008)
![Page 50: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/50.jpg)
FILE HEADER
INFO HEADER
PIXEL DATA
offset 0
offset N
bfOffBits
bfOffBitsSpecifies the offset, in bytes, from the BITMAPFILEHEADER structure to the bitmap bits
(MSDN)
![Page 51: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/51.jpg)
FILE HEADER
INFO HEADER
PIXEL DATA(secondary)
offset 0
offset N
bfOffBits
bfOffBitsSpecifies the offset, in bytes, from the BITMAPFILEHEADER structure to the bitmap bits
(MSDN)
PIXEL DATA
● Some image viewers ignore bfOffBits and look for data immediately after the headers.
![Page 52: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/52.jpg)
Different images, depending on which pixel data is used.
PIXEL DATA(secondary)
PIXEL DATA
![Page 53: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/53.jpg)
BMPTrick 2
Something I've learnt about because it spoiled my steg100 task for a CTF (thankfully during testing).
![Page 54: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/54.jpg)
BMP compression & palette
Run-Length Encoding (each box is 1 byte):
Length>0
Palette Index (color)
Length0
End of Line0
Length0
End of Bitmap1
Length0
Move Cursor2 X offset Y offset
Length0
RAW Length>2
Palette Index (color)
Palette Index (color)
...
![Page 55: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/55.jpg)
BMP compression & palette
Question: If the opcodes below allow jump over pixels and set no data, how will the pixels look like?
Hint: Please take a look at the presentation title :)
Length0
End of Line0
Length0
End of Bitmap1
Length0
Move Cursor2 X offset Y offset
![Page 56: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/56.jpg)
Option 1The missing data will be filled with background color.
(index 0 in the palette)
![Page 57: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/57.jpg)
Option 2The missing data will be black.
![Page 58: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/58.jpg)
Option 3The missing data will be transparent.(pink represents transparency)
![Page 59: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/59.jpg)
PNG
![Page 60: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/60.jpg)
a data schizophren
image data combining● 2 images● via 2 palettes
cute PoC by @reversity
“There shall not be more than one PLTE chunk”
![Page 61: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/61.jpg)
different images depending on which PLTE chunk is used
![Page 62: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/62.jpg)
Portable Executable
![Page 63: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/63.jpg)
W8VistaXP
Relocations types
Type 4HIGH_ADJ -- -- ✓Type 9
MIPS_JMPADDR16IA64_IMM64
MACHINE_SPEC_932 bit 64 bit ✗
![Page 64: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/64.jpg)
Relocations on relocations
Type 4HIGH_ADJ -- -- ✓Type 9
MIPS_JMPADDR16IA64_IMM64
MACHINE_SPEC_932 bit 64 bit ✗
Type 10DIR64 ✓ ✓ ✓
as seen in
PoC||GTFO
![Page 65: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/65.jpg)
Relocation-based PE Schizophren
![Page 66: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/66.jpg)
Julian Bangert, Sergey Bratus -- ELF Eccentricitieshttps://www.youtube.com/watch?v=4LU6N6THh2U
![Page 67: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/67.jpg)
GIFSomething Gynvael stumbled on in 2008,
but never made a PoC... until now.(with great input from Ange)
![Page 68: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/68.jpg)
GIF
GIF can be made of many small images.If "frame speed" is defined, these are frames instead(and the first frame is treated as background).
x
x
x y
yy
![Page 69: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/69.jpg)
GIF
Certain parsers (e.g. browsers) treat "images" as "frames" regardless of "frame speed" not being defined.
Frame 1 Frame 2 Frame 3
![Page 70: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/70.jpg)
GIF
Certain parsers (e.g. browsers) treat "images" as "frames" regardless of "frame speed" not being defined.
Frame 1 Frame 2 Frame 3
![Page 71: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/71.jpg)
GIF
Schizophrenic PoC:
Frame 1 Frames 2-100011x1 px
Frame 10002
![Page 72: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/72.jpg)
These apps try to force animation.
These apps render the GIF by the specs.
![Page 73: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/73.jpg)
GIMP says "frames", but allows one to see all the frames, which is nice.
![Page 74: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/74.jpg)
same-tool schizophrenia1 file + 1 tool = 2 behaviors
![Page 75: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/75.jpg)
it was too simple
● WinRar: different behavior when viewing or extracting○ opening/failing○ opening/’nothing’
● Adobe: viewing ⇔printing○ well, it’s a feature
![Page 76: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/76.jpg)
Failures / Ideas / WIP
![Page 77: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/77.jpg)
Screen ⇔ Printer schizophrenvia color profiles?
![Page 78: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/78.jpg)
Failures / Ideas / WIP
● screen ⇔ printer○ embedded color profiles?
● JPG○ IrfanView vs the world
● Video○ FLV: video fails but still plays sound ?
![Page 79: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/79.jpg)
PNG
Various ancillary chunks (rendering level)● partially supported:
○ gamma○ transparency (for palettes)
● never supported?○ significant bits○ chromacities
● always supported?○ physical size
![Page 80: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/80.jpg)
Conclusion
![Page 81: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/81.jpg)
Conclusion
● such a mess○ specs are messy○ parsers don’t even respect them
● no CVE/blaming for parsing errors?○ no security bug if no crash or exploit :(
PoCs and slides: http://goo.gl/Sfjfo4
![Page 82: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/82.jpg)
ACK
@reversity @travisgoodspeed @sergeybratusqkumba @internot @pdfkungfoo
@j00ru ise ds vx
![Page 83: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/83.jpg)
questions?
Ange AlbertiniGynvael Coldwind
thank you
It's time to kick ass and chew bubble gum... and I'm all outta gum.
@angealbertini@gynvael
![Page 84: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/84.jpg)
Flash (SWF) vs Prezi
vs
Bonus Round(not a fully schizophrenic problem in popular
parsers, that's why it's here)
![Page 85: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/85.jpg)
Prezi SWF sanitizer
Prezi allows embedding SWF files.But it first sanitizes them.It uses one of two built-in SWF parsers.
There was a problem in one of them:● It allowed huge chunk sizes.● It just "jumped" (seeked) over these chunk...● ...which resulted in an integer overflow...● ...and this lead to schizophrenia.● As the sanitizer saw a good SWF...● ...Adobe Flash got its evil twin brother.
![Page 86: Ange Albertini and Gynvael Coldwind: Schizophrenic Files – A file that thinks it's many](https://reader034.vdocuments.net/reader034/viewer/2022042700/5585619fd8b42a4c298b4933/html5/thumbnails/86.jpg)
Prezi SWF sanitizer"good" SWF sent to sanitizer
and its evil twin brotherkudos to the sanitizer!
Fixed in Q1 2014. For details see: "Integer overflow into XSS and other fun stuff - a case study of a bug bounty"http://gynvael.coldwind.pl/?id=533