Skip to content

Commit f753f11

Browse files
author
HackTricks News Bot
committed
Add content from: LANDFALL: New Commercial-Grade Android Spyware in Exploit Ch...
1 parent e862ee8 commit f753f11

File tree

2 files changed

+47
-2
lines changed

2 files changed

+47
-2
lines changed

src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md

Lines changed: 42 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,47 @@ Notes:
131131

132132
---
133133

134+
## DNG/TIFF – Samsung libimagecodec.quram.so (CVE‑2025‑21042) + Appended ZIP payload (LANDFALL)
135+
136+
Target: DNG (TIFF‑derived) images carrying an embedded ZIP archive appended at EOF to stage native payloads after parser RCE.
137+
138+
Structural signals:
139+
- File magic indicates TIFF/DNG (`II*\x00` or `MM\x00*`) but filename mimics JPEG (e.g., `.jpg`/`.jpeg` WhatsApp naming).
140+
- Presence of a ZIP Local File Header or EOCD magic near EOF (`PK\x03\x04` or `PK\x05\x06`) that is not referenced by any TIFF IFD data region (strips/tiles/`JPEGInterchangeFormat`).
141+
- Unusually large trailing data beyond the last referenced IFD data block (hundreds of KB to MB), consistent with a bundled archive of .so modules.
142+
143+
Pseudo‑logic:
144+
145+
```pseudo
146+
# Detect appended ZIP payload hidden after DNG/TIFF data (Samsung chain)
147+
if is_tiff_dng(magic):
148+
ext = file_extension()
149+
if ext in {".jpg", ".jpeg"}: mark_suspicious("Extension/magic mismatch: DNG vs JPEG")
150+
151+
zip_off = rfind_any(["PK\x05\x06", "PK\x03\x04"], search_window_last_n_bytes=8*1024*1024)
152+
if zip_off >= 0:
153+
end_dng = approx_end_of_tiff_data() # max(end of Strip/Tile/JPEGInterchangeFormat regions)
154+
if zip_off > end_dng + 0x200:
155+
mark_malicious("DNG with appended ZIP payload (LANDFALL‑style)")
156+
```
157+
158+
Practical triage:
159+
- Identify format vs name:
160+
- file sample; exiftool -s -FileType -MIMEType sample
161+
- Locate ZIP footer/header near EOF and carve:
162+
- off=$(grep -aboa -E $'PK\x05\x06|PK\x03\x04' sample.dng | tail -n1 | cut -d: -f1)
163+
- dd if=sample.dng of=payload.zip bs=1 skip="$off"
164+
- zipdetails -v payload.zip; unzip -l payload.zip
165+
- Sanity‑check TIFF data regions don’t overlap the carved ZIP region:
166+
- tiffdump -D sample.dng | egrep 'StripOffsets|TileOffsets|JPEGInterchangeFormat|StripByteCounts|TileByteCounts|JPEGInterchangeFormatLength'
167+
- Verify `max(offset+length) << zip_off`
168+
- One‑shot carving (coarse): binwalk -eM sample.dng
169+
170+
Notes:
171+
- Exploited in the wild against Samsung’s libimagecodec.quram.so (CVE‑2025‑21042). The appended ZIP contained native modules (e.g., loader + SELinux policy editor) extracted/executed post‑RCE.
172+
173+
---
174+
134175
## Implementation patterns and performance
135176

136177
A practical scanner should:
@@ -179,5 +220,6 @@ $ elegant-bouncer --tui --scan /path/to/samples
179220
- [Researching BLASTPASS – Analysing the Apple & Google WebP PoC file (Part 2)](https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/)
180221
- [Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures/)
181222
- [CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing](https://www.msuiche.com/posts/cve-2025-43300-critical-vulnerability-found-in-apples-dng-image-processing/)
223+
- [LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices](https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/)
182224

183225
{{#include ../../../banners/hacktricks-training.md}}

src/pentesting-web/xs-search/css-injection/less-code-injection.md

Lines changed: 5 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1,4 +1,6 @@
1-
## LESS Code Injection leading to SSRF & Local File Read
1+
# LESS Code Injection leading to SSRF & Local File Read
2+
3+
{{#include ../../../banners/hacktricks-training.md}}
24

35
LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.
46

@@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \
5961

6062
* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
6163
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
62-
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
64+
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
65+
{{#include ../../../banners/hacktricks-training.md}}

0 commit comments

Comments
 (0)