Schizophrenic files v2
-
Upload
ange-albertini -
Category
Technology
-
view
158 -
download
4
description
Transcript of Schizophrenic files v2
![Page 1: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/1.jpg)
Schizophrenicfiles
Ange Albertini
MetaRheinMainConstructionDaysMRMCD5-7 september 2014HS Darmstadtwww.mrmcd.net
2014/09/05
![Page 2: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/2.jpg)
Gynvael ColdwindSecurity researcher,Google
Dragon Sector captainlikes hamburgershttp://gynvael.coldwind.pl/
This talk is a collaboration with:
![Page 3: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/3.jpg)
Ange Albertinireverse engineering & visual documentations@[email protected]://www.corkami.com
![Page 4: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/4.jpg)
![Page 5: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/5.jpg)
1 file, 2 programs⇒ 2 different contents
No active detection of the program in the file
![Page 6: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/6.jpg)
Fooling, not failing
Both programs will load the file correctly:No reported warning or error, no exploitation.
![Page 7: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/7.jpg)
Abusing parsers for
● fun
● bypassing security○ same-origin policy○ evade detection○ exfiltration○ signing
■ Android Master Key
![Page 8: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/8.jpg)
ZIP
![Page 9: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/9.jpg)
excerpt from Gynvael's talk:"Dziesięć tysięcy pułapek: ZIP, RAR, etc."
(http://gynvael.coldwind.pl/?id=523)
![Page 10: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/10.jpg)
ZIP archives
![Page 11: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/11.jpg)
ZIP structures are parsed from the end.
![Page 12: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/12.jpg)
File names are actually duplicated.
![Page 13: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/13.jpg)
Why this weird structure?
![Page 14: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/14.jpg)
ZIP archives were commonly read & written on the fly over multiple floppies.
![Page 15: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/15.jpg)
● creationa. create one LFH per file
Floppy full ⇒ start a new LFH on the next floppyb. when all files are finished, write CDs sequence
(1/file)c. when all CDs are written, write the EoCD
● extractiona. insert last floppy (contains the EoCD)b. insert the floppy with 1st CD
(often, the last floppy contains EoCD + all CDs)c. insert the corresponding LFH’s first floppy
insert next floppies if required
Minimize floppy swaps
![Page 16: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/16.jpg)
ZIP was very useful,but now it’s awkward.
Newer archive formats are parsed top-down.
![Page 17: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/17.jpg)
Position in the file
![Page 18: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/18.jpg)
Prepended and appended data is tolerated...
![Page 19: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/19.jpg)
...but not too much!(for obvious performance reason)
![Page 20: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/20.jpg)
Duplicating the (relatively small) EoCD increases compatibility.
![Page 21: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/21.jpg)
Scanning direction
![Page 22: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/22.jpg)
If you concatenate 2 archives...
![Page 23: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/23.jpg)
...if you parse bottom-up (standard), you find the 2nd one...
![Page 24: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/24.jpg)
...but you will get the other archive if you parse top-down.
![Page 25: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/25.jpg)
Superfluous headers
![Page 26: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/26.jpg)
You could parse everything nicely...
![Page 27: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/27.jpg)
...but in the end, only the Local File Headers matter.
![Page 28: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/28.jpg)
1 file = 1 Local File Header
![Page 29: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/29.jpg)
Since most ZIP archives start with a sequence of Local File Headers...
![Page 30: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/30.jpg)
You can parse them top-down (until a break) and ignore the CD and EoCD.
![Page 31: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/31.jpg)
Standard parsing:bottom-up + all headers
![Page 32: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/32.jpg)
“Efficient” parsing:top-down + LFHs only
Not standard, but good enough in most cases.
![Page 33: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/33.jpg)
Nowadays, most ZIPs area sequence of LFHs
from the start
![Page 34: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/34.jpg)
ZIP Archive comment
![Page 35: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/35.jpg)
The EoCD contains an optional comment field...
![Page 36: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/36.jpg)
...that can contain a complete archive !
![Page 37: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/37.jpg)
● Parsing direction:○ standard is bottom-up○ parsing LFHs from the start would work in most cases
● ZIP should be located near the end of the file○ or at least, its EoCD
● An archive comment can contain another complete archive
Recap
![Page 38: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/38.jpg)
Let's test the parsers!abstract.zip
![Page 39: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/39.jpg)
4 LFHs, 4 ways to parse this archive:
![Page 40: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/40.jpg)
1/ you parse it bottom-up
![Page 41: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/41.jpg)
2/ you parse it top-down
![Page 42: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/42.jpg)
3/ look for LFHs from the start (until a break)
![Page 43: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/43.jpg)
4/ scan for LFHs aggressively (you get all four)
![Page 44: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/44.jpg)
Portable Document File
![Page 45: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/45.jpg)
http://youtu.be/JQrBgVRgqtc?t=11m15shttps://speakerdeck.com/ange/pdf-secrets-hiding-and-revealing-secrets-in-pdf-documents?slide=44
![Page 46: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/46.jpg)
![Page 47: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/47.jpg)
PDF Trick #1trailers
![Page 48: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/48.jpg)
trailer ⇒ root object ⇒ complete document
![Page 49: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/49.jpg)
…
…
…
a line comment - a correct trailer - a corrupted trailer
![Page 50: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/50.jpg)
Each reader sees a different trailer.
![Page 51: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/51.jpg)
PDF parsing
Each reader sees a completely different document3 co-existing documents, all parsed through
Viewers tolerance makes foreign elements ignored
![Page 52: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/52.jpg)
Also available in PDF/A flavor(OK for Adobe Reader, but not for Preflight)
![Page 53: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/53.jpg)
sometimes,it’s in the specs......but who knows all of them ?
(obscurity via over-specification)
![Page 54: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/54.jpg)
Notice anything unusual?
![Page 55: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/55.jpg)
This document contains layers.(an advanced feature)
![Page 56: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/56.jpg)
What you see is not what you’ll get...
![Page 57: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/57.jpg)
“Optional Content Configuration”● principles
○ define layered content via various /Forms○ enable/disable layers on viewing/printing
● no warning when printing
● “you can see the preview!”○ bypass preview by keeping page 1 unchanged○ just do a minor change in the file
PDF Layers 1/2
![Page 58: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/58.jpg)
● it’s Adobe only○ what’s displayed varies with readers○ could be hidden via previous schizophrenic trick
● it was in the specs all along○ very rarely used○ can be abused with no warning
PDF Layers 2/2
![Page 59: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/59.jpg)
BMP
![Page 60: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/60.jpg)
BMP
A pointer to some information that usually comes next…What could go wrong...
![Page 61: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/61.jpg)
BMP Trick #1: ignoring the data pointer
getting data right after the header
getting datavia the pointer
(standard)
![Page 62: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/62.jpg)
Trick #2:Run-Length Encoding
![Page 63: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/63.jpg)
BMP RLE trick
RLE structure (each box is 1 byte)
Length>0
Palette Index (color)
Length0
End of Line0
Length0
End of Bitmap1
Length0
Move Cursor2 X offset Y offset
Length0
RAW Length>2
Palette Index (color)
Palette Index (color)
...
![Page 64: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/64.jpg)
BMP RLE trick
If you just skip pixels, what is their color?
Length0
End of Line0
Length0
End of Bitmap1
Length0
Move Cursor2 X offset Y offset
![Page 65: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/65.jpg)
Option 1The missing data will be filled with background color.
(palette index 0)
![Page 66: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/66.jpg)
Option 2The missing data will be black.
![Page 67: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/67.jpg)
Option 3The missing data will be transparent.
![Page 68: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/68.jpg)
PNG
Portable Network Graphics
![Page 69: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/69.jpg)
Combined data + 2 palettes
Same data chunk combining 2 images via 2 palettes
cute PoC by @reversity
“There shall not be more than one PLTE chunk”
![Page 70: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/70.jpg)
Different images depending on which PLTE chunk is used
![Page 71: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/71.jpg)
Portable Executable
![Page 72: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/72.jpg)
PE = complex + badly documented● fail or fool external tools ? too easy...● fooling Windows is much harder:
○ Windows’ loader usually closes holes⇒ older PEs just not working anymore
the PE Loader
![Page 73: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/73.jpg)
PE Trick #1Data directory loading order
![Page 74: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/74.jpg)
Pointing TLS’ AddressOfIndex to an Import descriptor
![Page 75: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/75.jpg)
W7: TLS is loaded first ⇒ AoI’s address set to 0⇒ Imports descriptors’s sequence is truncated before loading
![Page 76: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/76.jpg)
XP: Imports are loaded first - all descriptors are parsedTLS is then parsed - descriptors are not relevant anymore
![Page 77: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/77.jpg)
PE Trick #2Relocations
![Page 78: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/78.jpg)
Relocations:patching absolute addresses
to solve address space conflicts
![Page 79: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/79.jpg)
W8VistaXP
Relocations types
Type 4HIGH_ADJ -- -- ✓Type 9
MIPS_JMPADDR16IA64_IMM64
MACHINE_SPEC_932 bit 64 bit ✗
![Page 80: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/80.jpg)
Relocations on relocations
Type 4HIGH_ADJ -- -- ✓Type 9
MIPS_JMPADDR16IA64_IMM64
MACHINE_SPEC_932 bit 64 bit ✗
Type 10DIR64 ✓ ✓ ✓
as seen in
PoC||GTFO #1
![Page 81: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/81.jpg)
Relocation-based PE Schizophren
![Page 82: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/82.jpg)
Julian Bangert, Sergey Bratus -- ELF Eccentricitieshttps://www.youtube.com/watch?v=4LU6N6THh2U
![Page 83: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/83.jpg)
GIF
![Page 84: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/84.jpg)
GIF
A GIF is made of blocks.if no animation speed is defined,they should all be displayed at once.
![Page 85: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/85.jpg)
GIF
If a frame speed is defined, then:first block = backgroundnext blocks = animation frames
Background(from block 1)
Frame 1(with block 2)
Frame 2(with block 3)
![Page 86: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/86.jpg)
GIF
Frame 1 Frames 2-100011x1 px
Frame 10002
1 complete pic + 10.000 pixels + 1 complete pic
![Page 87: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/87.jpg)
Forcing animation (even if no frame speed is defined)
Displaying all blocks at once (standard)
![Page 88: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/88.jpg)
same-tool schizophrenia1 file + 1 tool = 2 behaviors
(in different sub-components)
![Page 89: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/89.jpg)
Because it was too simple...
● WinRar: viewing ⇔ extracting○ opening/failing○ opening/’nothing’
● Adobe: viewing ⇔ printing○ well, it’s a feature
![Page 90: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/90.jpg)
Failures & Ideas
![Page 91: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/91.jpg)
Failures & Ideas
● screen ⇔ printer○ embedded color profiles?
● JPG○ IrfanView vs the world
● Video○ FLV: early data pointer, like BMP
PoC: video fails but plays sound
![Page 92: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/92.jpg)
PNG
Various ancillary chunks (rendering level)● partially supported:
○ gamma○ transparency (for palettes)
● never supported?○ significant bits○ chromacities
● always supported?○ physical size
![Page 93: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/93.jpg)
Conclusion
![Page 94: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/94.jpg)
We tend to take our own shortcuts.
![Page 95: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/95.jpg)
Conclusion
● such a mess○ specs are messy
■ unclear■ historical reasons
○ parsers don’t even respect them(particularly when there is an easy shortcut)
○ official tools “forced” to be tolerant■ They’re even trying to repair corrupted files (!)
● no CVE/blaming for parsing errors?○ no security bug if no crash or exploit :(
![Page 96: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/96.jpg)
Schizophrenia symptoms
● different parsing (seeing different data)○ BMP: ignoring data pointer○ ZIP: different parsing algorithm & directions○ PE: different data directory loading order○ PDF: different trailer parsing
● different interpretation (same data)○ GIF: ignoring animation speed○ BMP RLE: using different default color○ PE: different relocations implementation○ PNG: using different palette○ PDF: conditional layers
![Page 97: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/97.jpg)
ACK
@gynvael@reversity @travisgoodspeed @sergeybratus
qkumba @internot @pdfkungfoo
@j00ru ise ds vx, MulanderFelix Groebert, Salvation
![Page 98: Schizophrenic files v2](https://reader034.fdocuments.net/reader034/viewer/2022042507/558d54e5d8b42a7d338b46c7/html5/thumbnails/98.jpg)
@angealbertinicorkami.com
Damn, that's the second time those alien bastards shot up my ride!