Public
- Public
- Network
- Groups
- Featured
- Popular
- People

Notices by Ange (ange@mastodon.social)

Embed this notice
Ange (ange@mastodon.social)'s status on Wednesday, 18-Sep-2024 17:55:20 JST Ange

Some tools detect the EICAR file in Zip files by size and CRC so that it even detects it in password-protected zips without having the password.
This can of course lead to accidental or intentional FPs.

In conversation about 2 months ago from mastodon.social permalink
Embed this notice
Ange (ange@mastodon.social)'s status on Wednesday, 18-Sep-2024 17:55:19 JST Ange
in reply to

CRC-forging is also useful to collide arbitrary contents inside a ZIP archive. It makes possible re-usable and instant MD5 collisions for ZIP-based documents such as DOCX, XLSX, EPUB, XPS, 3MF.
https://speakerdeck.com/ange/inside-out-abusing-archive-file-formats
In conversation about 2 months ago from mastodon.social permalink
Attachments
1. Domain not in remote thumbnail source whitelist: files.speakerdeck.com
  
  Inside out - abusing archive file formats
  
  from Ange Albertini
  
  If a format structure isn't vulnerable, can that change once wrapped in an archive? File formats abuses depend on specific structure characteristics,…
Embed this notice
Ange (ange@mastodon.social)'s status on Wednesday, 18-Sep-2024 17:55:19 JST Ange
in reply to

Some even detect a CRC-colliding file if there's no password.
In conversation about 2 months ago from mastodon.social permalink
Attachments
1. A terminal showing a ZIP containing a file with the same CRC and size of the EICAR file but with different content.
  https://files.mastodon.social/media_attachments/files/113/157/571/019/168/588/original/824bea2d4d4e9fa5.png
2. That innocent ZIP is detected by 12 tools on VirusTotal.
  https://files.mastodon.social/media_attachments/files/113/157/576/859/868/109/original/5d1ad0266a70abf9.png
Embed this notice
Ange (ange@mastodon.social)'s status on Wednesday, 10-Jan-2024 05:41:53 JST Ange

An extreme example of a weird file construct, applicable to most formats:
a polymock, with fake file formats signatures at their correct offset.
In conversation about 11 months ago from mastodon.social permalink
Attachments
1. A polymock header, containing many standard signatures at their correct offset, such as Dos' MZ at offset 0, ARJ's 60EA at offset 2...
  https://files.mastodon.social/media_attachments/files/111/727/540/523/200/860/original/3d7a1255a2ab029d.png
Embed this notice
Ange (ange@mastodon.social)'s status on Friday, 30-Dec-2022 14:33:27 JST Ange

My file formats dissection repo should be now up-to-date.
https://github.com/corkami/pics/blob/master/binary/README.md#images
In conversation Friday, 30-Dec-2022 14:33:27 JST from mastodon.social permalink
Attachments
1. Untitled attachment
  https://files.mastodon.social/media_attachments/files/109/581/230/460/188/646/original/901a25f844982380.png
2. Untitled attachment
  https://files.mastodon.social/media_attachments/files/109/581/231/503/635/250/original/3acf381bb1eb1175.png
3. Untitled attachment
  https://files.mastodon.social/media_attachments/files/109/581/232/117/545/114/original/14ea8e0ec51f992f.png
4. Untitled attachment
  https://files.mastodon.social/media_attachments/files/109/581/232/511/805/107/original/2f047c448f9beaab.png
5. Domain not in remote thumbnail source whitelist: opengraph.githubassets.com
  
  pics/README.md at master · corkami/pics
  
  Posters, drawings... Contribute to corkami/pics development by creating an account on GitHub.

User actions

Corkami, CPS2Shock, PoC||GTFO, Sha1tered. Security engineer @ Google. He/him.

Tags

(None)

Following 0

Followers 0

Groups 0

Statistics

User ID: 82636

Member since: 30 Dec 2022

Notices: 5

Daily average: 0

Feeds

Atom