From f753f1179599693848d43b6e38671a9ba2381552 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Fri, 7 Nov 2025 12:47:10 +0000 Subject: [PATCH] Add content from: LANDFALL: New Commercial-Grade Android Spyware in Exploit Ch... --- ...tructural-file-format-exploit-detection.md | 42 +++++++++++++++++++ .../css-injection/less-code-injection.md | 7 +++- 2 files changed, 47 insertions(+), 2 deletions(-) diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md index 077cfe2f11d..c5cf18ae19c 100644 --- a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md +++ b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md @@ -131,6 +131,47 @@ Notes: --- +## DNG/TIFF – Samsung libimagecodec.quram.so (CVE‑2025‑21042) + Appended ZIP payload (LANDFALL) + +Target: DNG (TIFF‑derived) images carrying an embedded ZIP archive appended at EOF to stage native payloads after parser RCE. + +Structural signals: +- File magic indicates TIFF/DNG (`II*\x00` or `MM\x00*`) but filename mimics JPEG (e.g., `.jpg`/`.jpeg` WhatsApp naming). +- Presence of a ZIP Local File Header or EOCD magic near EOF (`PK\x03\x04` or `PK\x05\x06`) that is not referenced by any TIFF IFD data region (strips/tiles/`JPEGInterchangeFormat`). +- Unusually large trailing data beyond the last referenced IFD data block (hundreds of KB to MB), consistent with a bundled archive of .so modules. + +Pseudo‑logic: + +```pseudo +# Detect appended ZIP payload hidden after DNG/TIFF data (Samsung chain) +if is_tiff_dng(magic): + ext = file_extension() + if ext in {".jpg", ".jpeg"}: mark_suspicious("Extension/magic mismatch: DNG vs JPEG") + + zip_off = rfind_any(["PK\x05\x06", "PK\x03\x04"], search_window_last_n_bytes=8*1024*1024) + if zip_off >= 0: + end_dng = approx_end_of_tiff_data() # max(end of Strip/Tile/JPEGInterchangeFormat regions) + if zip_off > end_dng + 0x200: + mark_malicious("DNG with appended ZIP payload (LANDFALL‑style)") +``` + +Practical triage: +- Identify format vs name: + - file sample; exiftool -s -FileType -MIMEType sample +- Locate ZIP footer/header near EOF and carve: + - off=$(grep -aboa -E $'PK\x05\x06|PK\x03\x04' sample.dng | tail -n1 | cut -d: -f1) + - dd if=sample.dng of=payload.zip bs=1 skip="$off" + - zipdetails -v payload.zip; unzip -l payload.zip +- Sanity‑check TIFF data regions don’t overlap the carved ZIP region: + - tiffdump -D sample.dng | egrep 'StripOffsets|TileOffsets|JPEGInterchangeFormat|StripByteCounts|TileByteCounts|JPEGInterchangeFormatLength' + - Verify `max(offset+length) << zip_off` +- One‑shot carving (coarse): binwalk -eM sample.dng + +Notes: +- Exploited in the wild against Samsung’s libimagecodec.quram.so (CVE‑2025‑21042). The appended ZIP contained native modules (e.g., loader + SELinux policy editor) extracted/executed post‑RCE. + +--- + ## Implementation patterns and performance A practical scanner should: @@ -179,5 +220,6 @@ $ elegant-bouncer --tui --scan /path/to/samples - [Researching BLASTPASS – Analysing the Apple & Google WebP PoC file (Part 2)](https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/) - [Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures/) - [CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing](https://www.msuiche.com/posts/cve-2025-43300-critical-vulnerability-found-in-apples-dng-image-processing/) +- [LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices](https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/) {{#include ../../../banners/hacktricks-training.md}} \ No newline at end of file diff --git a/src/pentesting-web/xs-search/css-injection/less-code-injection.md b/src/pentesting-web/xs-search/css-injection/less-code-injection.md index b9d599deb30..6d338df2b68 100644 --- a/src/pentesting-web/xs-search/css-injection/less-code-injection.md +++ b/src/pentesting-web/xs-search/css-injection/less-code-injection.md @@ -1,4 +1,6 @@ -## LESS Code Injection leading to SSRF & Local File Read +# LESS Code Injection leading to SSRF & Local File Read + +{{#include ../../../banners/hacktricks-training.md}} LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used. @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \ * [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04) * [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/) -* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) \ No newline at end of file +* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258) +{{#include ../../../banners/hacktricks-training.md}}