HackTricks
Ugunduzi wa Exploit wa Muundo wa Faili (0‑Click Chains)
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking:HackTricks Training GCP Red Team Expert (GRTE)
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.
Ukurasa huu unatoa muhtasari wa mbinu za vitendo za kugundua 0‑click mobile exploit files kwa kuthibitisha invarianti za kimuundo za miundo yao badala ya kutegemea byte signatures. Mbinu hii inatumika kwa sampuli mbalimbali, polymorphic variants, na future exploits zinazotumia mantiki ile ile ya parser.
Wazo kuu: encode structural impossibilities na cross‑field inconsistencies ambazo zinaonekana tu wakati decoder/parser yenye udhaifu inafikiwa.
See also:
Kwa nini muundo, si saini
Wakati weaponized samples hazipatikani na payload bytes zinapobadilika, traditional IOC/YARA patterns hufeli. Ugunduzi wa muundo unachunguza layout iliyotangazwa ya container dhidi ya kile kinachowezekana kihisabati au kimaanisha kwa utekelezaji wa format.
Mikaguzi ya kawaida:
- Thibitisha table sizes na mipaka inayotokana na spec na safe implementations
- Alamisha illegal/undocumented opcodes au state transitions katika embedded bytecode
- Linganishwa metadata VS actual encoded stream components
- Gundua contradictory fields zinazonyesha parser confusion au integer overflow set‑ups
Hapo chini kuna mifumo thabiti, iliyojaribiwa kwa uwanja, kwa multiple high‑impact chains.
PDF/JBIG2 – FORCEDENTRY (CVE‑2021‑30860)
Lengo: JBIG2 symbol dictionaries embedded inside PDFs (often used in mobile MMS parsing).
Ishara za muundo:
- Contradictory dictionary state ambayo haiwezi kutokea katika benign content lakini inahitajika ili trigger overflow katika arithmetic decoding.
- Matumizi ya kushukiwa ya global segments pamoja na abnormal symbol counts wakati wa refinement coding.
Mantiki ya mfano:
# Detecting impossible dictionary state used by FORCEDENTRY
if input_symbols_count == 0 and (ex_syms > 0 and ex_syms < 4):
mark_malicious("JBIG2 impossible symbol dictionary state")
Triage ya vitendo:
- Tambua na toa JBIG2 streams kutoka kwenye PDF
- Tumia pdfid/pdf-parser/peepdf kutafuta na kutoa (dump) streams
- Thibitisha bendera za arithmetic coding na vigezo vya kamusi ya alama dhidi ya spesifikesheni ya JBIG2
Notes:
- Inafanya kazi bila saini za payload zilizowekwa
- FP ya chini kwa vitendo kwa sababu hali iliyowekwa alama haifai kihisabati
WebP/VP8L – BLASTPASS (CVE‑2023‑4863)
Target: WebP lossless (VP8L) Huffman prefix‑code tables.
Ishara za muundo:
- Ukubwa wa jumla wa jedwali za Huffman zilizojengwa unazidi kikomo salama cha juu kinachotarajiwa na implementations za rejea/ zilizopachikwa, jambo linaloashiria kuwepo kwa masharti ya awali ya overflow.
Mantiki ya pseudo-logic:
# Detect malformed Huffman table construction triggering overflow
let total_size = sum(table_sizes)
if total_size > 2954: # example bound: FIXED_TABLE_SIZE + MAX_TABLE_SIZE
mark_malicious("VP8L oversized Huffman tables")
Practical triage:
- Angalia vipande vya kontena za WebP: VP8X + VP8L
- Tafsiri VP8L prefix codes na hesabu ukubwa halisi wa meza zilizotengwa
Notes:
- Imara dhidi ya byte‑level polymorphism ya payload
- Kizuizi kinatokana na uchambuzi wa mipaka/patch wa upstream
TrueType – TRIANGULATION (CVE‑2023‑41990)
Target: TrueType bytecode inside fpgm/prep/glyf programs.
Structural signals:
- Uwepo wa undocumented/forbidden opcodes katika interpreter ya Apple inayotumiwa na exploit chain.
Pseudo‑logic:
# Flag undocumented TrueType bytecode leveraged by TRIANGULATION
switch opcode:
case 0x8F, 0x90:
mark_malicious("Undocumented TrueType bytecode")
default:
continue
Practical triage:
- Tondoa meza za fonti (kwa mfano, using fontTools/ttx) na skana programu za fpgm/prep/glyf
- Hakuna haja ya kuiga kikamilifu interpreter ili kupata thamani kutoka kwa presence checks
Notes:
- Inaweza kusababisha nadra FPs ikiwa fonti zisizo za kawaida zina opcodes zisizojulikana; thibitisha kwa zana za pili
DNG/TIFF – CVE‑2025‑43300
Target: DNG/TIFF image metadata VS actual component count in encoded stream (kwa mfano, JPEG‑Lossless SOF3).
Structural signals:
- Kutokueleweka kati ya nyanja za EXIF/IFD (SamplesPerPixel, PhotometricInterpretation) na idadi ya vipengele iliyochanganuliwa kutoka kwa kichwa cha mtiririko wa picha kinachotumiwa na pipeline.
Mantiki ya mfano:
# Metadata claims 2 samples per pixel but stream header exposes only 1 component
if samples_per_pixel == 2 and sof3_components == 1:
mark_malicious("DNG/TIFF metadata vs. stream mismatch")
Uchunguzi wa vitendo:
- Changanua IFD kuu na tagi za EXIF
- Tafuta na changanua kichwa cha JPEG‑Lossless kilichoingizwa (SOF3) na linganisha idadi ya vipengele
Vidokezo:
- Imeripotiwa kutumiwa katika mazingira ya kweli; mgombea bora kwa ukaguzi wa ulinganifu wa muundo
DNG/TIFF – Samsung libimagecodec.quram.so (CVE‑2025‑21042) + Appended ZIP payload (LANDFALL)
Lengo: Picha za DNG (TIFF‑derived) zinazoabeba archive ya ZIP iliyoongezwa mwishoni (EOF) ili stage native payloads baada ya parser RCE.
Ishara za kimuundo:
- Magic ya faili inaonyesha TIFF/DNG (
II*\x00orMM\x00*) lakini jina la faili linaiga JPEG (kwa mfano,.jpg/.jpegnamna ya kuitwa kwenye WhatsApp). - Uwepo wa ZIP Local File Header au EOCD magic karibu na EOF (
PK\x03\x04orPK\x05\x06) ambayo hairejelewi na eneo lolote la data la TIFF IFD (strips/tiles/JPEGInterchangeFormat). - Data kubwa isiyo ya kawaida inayofuata baada ya block ya mwisho ya data ya IFD iliyorejelewa (mamia ya KB hadi MB), inayoendana na archive iliyoambatanishwa ya moduli .so.
Mantiki ya mfano:
# Detect appended ZIP payload hidden after DNG/TIFF data (Samsung chain)
if is_tiff_dng(magic):
ext = file_extension()
if ext in {".jpg", ".jpeg"}: mark_suspicious("Extension/magic mismatch: DNG vs JPEG")
zip_off = rfind_any(["PK\x05\x06", "PK\x03\x04"], search_window_last_n_bytes=8*1024*1024)
if zip_off >= 0:
end_dng = approx_end_of_tiff_data() # max(end of Strip/Tile/JPEGInterchangeFormat regions)
if zip_off > end_dng + 0x200:
mark_malicious("DNG with appended ZIP payload (LANDFALL‑style)")
Practical triage:
- Identify format vs name:
- file sample; exiftool -s -FileType -MIMEType sample
- Locate ZIP footer/header near EOF and carve:
- off=$(grep -aboa -E $‘PK\x05\x06|PK\x03\x04’ sample.dng | tail -n1 | cut -d: -f1)
- dd if=sample.dng of=payload.zip bs=1 skip=“$off”
- zipdetails -v payload.zip; unzip -l payload.zip
- Sanity‑check TIFF data regions don’t overlap the carved ZIP region:
- tiffdump -D sample.dng | egrep ‘StripOffsets|TileOffsets|JPEGInterchangeFormat|StripByteCounts|TileByteCounts|JPEGInterchangeFormatLength’
- Verify
max(offset+length) << zip_off - One‑shot carving (coarse): binwalk -eM sample.dng
Notes:
- Exploited in the wild against Samsung’s libimagecodec.quram.so (CVE‑2025‑21042). The appended ZIP contained native modules (e.g., loader + SELinux policy editor) extracted/executed post‑RCE.
HEIF/AVIF – libheif & libde265 (CVE‑2024‑41311, CVE‑2025‑29482, CVE‑2025‑65586)
Target: HEIF/AVIF containers parsed by libheif (and ImageIO/OpenImageIO builds that bundle it).
Structural signals:
- Overlay items (iloc/iref) whose source rectangles exceed the base image dimensions or whose offsets are negative/overflowing → triggers ImageOverlay::parse out‑of‑bounds (CVE‑2024‑41311).
- Grid items referencing non‑existent item IDs (ImageItem_Grid::get_decoder NULL deref, CVE‑2025‑43967) – easy structural check, no decoding required.
- SAO/loop‑filter parameters or tile counts that force table allocations larger than the max allowed by libde265 (CVE‑2025‑29482): overly large band counts or slice dimensions.
- Box length/extent sizes that point past EOF (typical in CVE‑2025‑65586 PoCs discovered via fuzzing).
Pseudo‑logic:
# HEIF overlay bounds check
for overlay in heif_overlays:
if overlay.x < 0 or overlay.y < 0: mark_malicious("HEIF overlay negative offset")
if overlay.x + overlay.w > base.w or overlay.y + overlay.h > base.h:
mark_malicious("HEIF overlay exceeds base image (CVE‑2024‑41311 pattern)")
# Grid item reference validation
for grid in heif_grids:
if any(ref_id not in item_ids):
mark_malicious("HEIF grid references missing item (CVE‑2025‑43967 pattern)")
# SAO / slice allocation guard
if sao_band_count > 32 or (tile_cols * tile_rows) > MAX_TILES or sao_eo_class not in {0..3}:
mark_malicious("HEIF SAO/tiling exceeds safe bounds (CVE‑2025‑29482 pattern)")
Triage ya vitendo:
- Ukaguzi wa haraka wa metadata bila dekodi kamili:
- heif-info sample.heic
- oiiotool –info –stats sample.heic
- Thibitisha extents dhidi ya ukubwa wa faili:
- heif-convert –verbose sample.heic /dev/null | grep -i extent
- Chonga boxes zinazoshukiwa kwa uchunguzi wa mkono:
- dd if=sample.heic bs=1 skip=$((box_off)) count=$((box_len)) of=box.bin
Vidokezo:
- Hivi vya ukaguzi vinakamata muundo uliovunjika kabla ya dekodi nzito; vinafaa kwa lango za barua/MMS ambazo zinahitaji tu maamuzi ya kuruhusu/kuzuia.
- Mipaka ya libheif hubadilika kati ya matoleo; rekebisha tena vigezo vya msingi (re‑baseline constants) wakati upstream inabadilika (1.18.x → 1.21.x ilikaza uthibitisho wa overlay na grid).
Mifumo ya utekelezaji na utendaji
Skana ya vitendo inapaswa:
- Gundua aina ya faili kiotomatiki na tuma wachambuzi husika tu (PDF/JBIG2, WebP/VP8L, TTF, DNG/TIFF, HEIF/AVIF)
- Sanifu kwa mtiririko/uchambuzi wa sehemu ili kupunguza ugawaji wa kumbukumbu na kuwezesha kuacha mapema
- Endesha uchambuzi kwa usawa (thread‑pool) kwa triage ya wingi
Mfano wa mtiririko wa kazi na ElegantBouncer (utekelezaji wa chanzo wazi kwa Rust wa ukaguzi haya):
# Scan a path recursively with structural detectors
$ elegant-bouncer --scan /path/to/directory
# Optional TUI for parallel scanning and real‑time alerts
$ elegant-bouncer --tui --scan /path/to/samples
Vidokezo vya DFIR na kesi za pembejeo
- Vitu vilivyowekwa ndani: PDF zinaweza kujumuisha picha (JBIG2) na fonti (TrueType); zitoke na ziskane kwa rekursivu
- Usalama wa kuondoa mfinyo (decompression): tumia maktaba zinazoweka kikomo thabiti kwa meza/buffers kabla ya kugawa kumbukumbu
- Matokeo chanya za uwongo: weka sheria kwa tahadhari, pendelea tofauti zisizowezekana chini ya sifa (spec)
- Mabadiliko ya toleo: anzisha upya mipaka ya msingi (mfano, VP8L table sizes) wakati parsers za upstream zinabadilisha vikwazo
Zana zinazohusiana
- ElegantBouncer – structural scanner for the detections above
- pdfid/pdf-parser/peepdf – uchimbaji wa vitu vya PDF na uchambuzi wa statiki
- pdfcpu – linter/msafishaji wa PDF
- fontTools/ttx – tona meza za TrueType na bytecode
- exiftool – soma metadata ya TIFF/DNG/EXIF
- dwebp/webpmux – chambua metadata na vipande vya WebP
- heif-info/heif-convert (libheif) – ukaguzi wa muundo wa HEIF/AVIF
- oiiotool – thibitisha HEIF/AVIF kupitia OpenImageIO
Marejeo
- ELEGANTBOUNCER: When You Can’t Get the Samples but Still Need to Catch the Threat
- ElegantBouncer project (GitHub)
- Researching FORCEDENTRY: Detecting the exploit with no samples
- Researching BLASTPASS – Detecting the exploit inside a WebP file (Part 1)
- Researching BLASTPASS – Analysing the Apple & Google WebP PoC file (Part 2)
- Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures
- CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing
- LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices
- CVE‑2024‑41311 analysis (libheif overlay OOB)
- CVE‑2025‑65586 libheif metadata iterator flaw
Tip
Jifunze na fanya mazoezi ya AWS Hacking:
Jifunze na fanya mazoezi ya GCP Hacking:Support HackTricks
- Angalia mpango wa usajili!
- Jiunge na 💬 kikundi cha Discord au kikundi cha telegram au tufuatilie kwenye Twitter 🐦 @hacktricks_live.
- Shiriki mbinu za hacking kwa kuwasilisha PRs kwa HackTricks na HackTricks Cloud repos za github.