3 headers & 1 data body in a single file

1. a binary chimera
3 headers & 1 data body in a single file
Ange Albertini, March 2014

2. chimera kʌɪˈmɪərə,kɪ-/
noun
1. (in Greek mythology) a fire-breathing female monster with a lion's head, a goat's body, and a serpent's tail.

4. what is it ?
a file that is:
● a JPG
● a PDF
● a ZIP

5. that’s all?
is it just 3 stacked formats ?
if only >:-)

6. a binary chimera
the image data is present only once:
all 3 file formats rely on the same body.
1 data body, 3 different headers (PDF/ZIP/JPG)
→ chimera

7. why?
● why not!
● just a PoC for me
○ but maybe a fixed bug for you
it shows that
● too many file format specs suck!
○ which decreases our security

8. starting ideas
● PDF can use unmodified JPG files
○ we just need to duplicate the JPG header
○ and trick the JPG header to find its data ‘further’ than
expected
● ZIP can store data unmodified
○ we just need to trick ZIP structure to find its file data
within the PDF

9. magic signature
● JPEG FF D8 offset 0
● PDF %PDF-1.x within range 0-1024
● ZIP PKx03x04 anywhere
→ our file starts with FF D8 at offset 0
we need to ‘hide’ the rest

10. hiding PDF/ZIP data from JPEG
● JPEG is chunk-based (called segments)
→ add comment segments to cover PDF/ZIP
syntax:
FF FE <length:+2> <data>

11. hiding JPEG/ZIP data from PDF
● PDF is not parsed until signature is met
→ the JPEG header is ignored
● PDF is object-based
● dummy stream objects to cover ZIP/JPG

12. PDF stream object
<unused number> 0 obj
<<>>
stream
<data>
endstream
endobj

13. Problem: in a ZIP,
data is following LocalFileHeader
start of PDF image object overlaps LocalFileHeader :(
Solution:
ZIP contains 2 filenames entries:
● in CentralDirectory (important one)
● in each LocalFileHeader (discardable)
→ abused LFH’s filename to overlap PDF object
start (not 100% compatible)

14. elegance++
● cover extra data after JPEG end with
superfluous comment segment
● covert extra PDF data by extending ZIP
archive comment (in EoCD)

15. summary

17. icing on the cake
● all written by hand
● generated in ASM
● not specific to my JPEG/PDF/ZIP data
as usual ;)

18. partial failure
not fully “compatible”
● ZIP LFH name corrupted :(
○ 7z, ZipFile don’t support it
● Adobe Reader blacklists JPEGs-starting PDFs
→ need to slightly corrupt JPEG header
→ some JPEG viewers don’t support it :(
JPEG corrupted to let PDF open under Adobe
easy to fix, would break Adobe

19. Conclusion
● yet another kind of file format puzzle
○ new?
● chimeras aren’t legend anymore :p
● source & PoC
○ http://corkami.googlecode.com/svn/trunk/src/chimera

20. ACK
Binary masters
● Julia Wolf, Jonas Magazinius, Gynvael Coldwind
PoC||GTFO neighbors
● Travis Goodspeed, Sergey Bratus
Feedbackers
● @munin @LeBurek @rfc1459 @InfoSec208
Promising jedi ;)
● Dominique Bongard

21. Questions/suggestions?
@angealbertini

22. Want more?
read PoC||GTFO !