Skip to content

Commit d9134a6

Browse files
carlospolopcarlospolop
authored
Merge pull request #1559 from HackTricks-wiki/update_LANDFALL__New_Commercial-Grade_Android_Spyware_in__20251107_124244
LANDFALL New Commercial-Grade Android Spyware in Exploit Cha...
2 parents d59ea69 + f753f11 commit d9134a6

File tree

1 file changed

+42
-0
lines changed

1 file changed

+42
-0
lines changed

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,47 @@ Notes:
131131

132132
---
133133

134+
## DNG/TIFF – Samsung libimagecodec.quram.so (CVE‑2025‑21042) + Appended ZIP payload (LANDFALL)
135+
136+
Target: DNG (TIFF‑derived) images carrying an embedded ZIP archive appended at EOF to stage native payloads after parser RCE.
137+
138+
Structural signals:
139+
- File magic indicates TIFF/DNG (`II*\x00` or `MM\x00*`) but filename mimics JPEG (e.g., `.jpg`/`.jpeg` WhatsApp naming).
140+
- Presence of a ZIP Local File Header or EOCD magic near EOF (`PK\x03\x04` or `PK\x05\x06`) that is not referenced by any TIFF IFD data region (strips/tiles/`JPEGInterchangeFormat`).
141+
- Unusually large trailing data beyond the last referenced IFD data block (hundreds of KB to MB), consistent with a bundled archive of .so modules.
142+
143+
Pseudo‑logic:
144+
145+
```pseudo
146+
# Detect appended ZIP payload hidden after DNG/TIFF data (Samsung chain)
147+
if is_tiff_dng(magic):
148+
ext = file_extension()
149+
if ext in {".jpg", ".jpeg"}: mark_suspicious("Extension/magic mismatch: DNG vs JPEG")
150+
151+
zip_off = rfind_any(["PK\x05\x06", "PK\x03\x04"], search_window_last_n_bytes=8*1024*1024)
152+
if zip_off >= 0:
153+
end_dng = approx_end_of_tiff_data() # max(end of Strip/Tile/JPEGInterchangeFormat regions)
154+
if zip_off > end_dng + 0x200:
155+
mark_malicious("DNG with appended ZIP payload (LANDFALL‑style)")
156+
```
157+
158+
Practical triage:
159+
- Identify format vs name:
160+
- file sample; exiftool -s -FileType -MIMEType sample
161+
- Locate ZIP footer/header near EOF and carve:
162+
- off=$(grep -aboa -E $'PK\x05\x06|PK\x03\x04' sample.dng | tail -n1 | cut -d: -f1)
163+
- dd if=sample.dng of=payload.zip bs=1 skip="$off"
164+
- zipdetails -v payload.zip; unzip -l payload.zip
165+
- Sanity‑check TIFF data regions don’t overlap the carved ZIP region:
166+
- tiffdump -D sample.dng | egrep 'StripOffsets|TileOffsets|JPEGInterchangeFormat|StripByteCounts|TileByteCounts|JPEGInterchangeFormatLength'
167+
- Verify `max(offset+length) << zip_off`
168+
- One‑shot carving (coarse): binwalk -eM sample.dng
169+
170+
Notes:
171+
- Exploited in the wild against Samsung’s libimagecodec.quram.so (CVE‑2025‑21042). The appended ZIP contained native modules (e.g., loader + SELinux policy editor) extracted/executed post‑RCE.
172+
173+
---
174+
134175
## Implementation patterns and performance
135176

136177
A practical scanner should:
@@ -179,5 +220,6 @@ $ elegant-bouncer --tui --scan /path/to/samples
179220
- [Researching BLASTPASS – Analysing the Apple & Google WebP PoC file (Part 2)](https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/)
180221
- [Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures/)
181222
- [CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing](https://www.msuiche.com/posts/cve-2025-43300-critical-vulnerability-found-in-apples-dng-image-processing/)
223+
- [LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices](https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/)
182224

183225
{{#include ../../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)