Skip to content

LANDFALL New Commercial-Grade Android Spyware in Exploit Cha... #1559

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

LANDFALL New Commercial-Grade Android Spyware in Exploit Cha... #1559

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 42 additions & 0 deletions .../specific-software-file-type-tricks/structural-file-format-exploit-detection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -131,6 +131,47 @@ Notes:

---

## DNG/TIFF – Samsung libimagecodec.quram.so (CVE‑2025‑21042) + Appended ZIP payload (LANDFALL)

Target: DNG (TIFF‑derived) images carrying an embedded ZIP archive appended at EOF to stage native payloads after parser RCE.

Structural signals:
- File magic indicates TIFF/DNG (`II*\x00` or `MM\x00*`) but filename mimics JPEG (e.g., `.jpg`/`.jpeg` WhatsApp naming).
- Presence of a ZIP Local File Header or EOCD magic near EOF (`PK\x03\x04` or `PK\x05\x06`) that is not referenced by any TIFF IFD data region (strips/tiles/`JPEGInterchangeFormat`).
- Unusually large trailing data beyond the last referenced IFD data block (hundreds of KB to MB), consistent with a bundled archive of .so modules.

Pseudo‑logic:

```pseudo
# Detect appended ZIP payload hidden after DNG/TIFF data (Samsung chain)
if is_tiff_dng(magic):
ext = file_extension()
if ext in {".jpg", ".jpeg"}: mark_suspicious("Extension/magic mismatch: DNG vs JPEG")

zip_off = rfind_any(["PK\x05\x06", "PK\x03\x04"], search_window_last_n_bytes=8*1024*1024)
if zip_off >= 0:
end_dng = approx_end_of_tiff_data() # max(end of Strip/Tile/JPEGInterchangeFormat regions)
if zip_off > end_dng + 0x200:
mark_malicious("DNG with appended ZIP payload (LANDFALL‑style)")
```

Practical triage:
- Identify format vs name:
- file sample; exiftool -s -FileType -MIMEType sample
- Locate ZIP footer/header near EOF and carve:
- off=$(grep -aboa -E $'PK\x05\x06|PK\x03\x04' sample.dng | tail -n1 | cut -d: -f1)
- dd if=sample.dng of=payload.zip bs=1 skip="$off"
- zipdetails -v payload.zip; unzip -l payload.zip
- Sanity‑check TIFF data regions don’t overlap the carved ZIP region:
- tiffdump -D sample.dng | egrep 'StripOffsets|TileOffsets|JPEGInterchangeFormat|StripByteCounts|TileByteCounts|JPEGInterchangeFormatLength'
- Verify `max(offset+length) << zip_off`
- One‑shot carving (coarse): binwalk -eM sample.dng

Notes:
- Exploited in the wild against Samsung’s libimagecodec.quram.so (CVE‑2025‑21042). The appended ZIP contained native modules (e.g., loader + SELinux policy editor) extracted/executed post‑RCE.

---

## Implementation patterns and performance

A practical scanner should:
Expand Down Expand Up @@ -179,5 +220,6 @@ $ elegant-bouncer --tui --scan /path/to/samples
- [Researching BLASTPASS – Analysing the Apple & Google WebP PoC file (Part 2)](https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/)
- [Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures/)
- [CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing](https://www.msuiche.com/posts/cve-2025-43300-critical-vulnerability-found-in-apples-dng-image-processing/)
- [LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices](https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/)

{{#include ../../../banners/hacktricks-training.md}}
7 changes: 5 additions & 2 deletions src/pentesting-web/xs-search/css-injection/less-code-injection.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
## LESS Code Injection leading to SSRF & Local File Read
# LESS Code Injection leading to SSRF & Local File Read

{{#include ../../../banners/hacktricks-training.md}}

LESS is a popular CSS pre-processor that adds variables, mixins, functions and the powerful `@import` directive. During compilation the LESS engine will **fetch the resources referenced in `@import`** statements and embed ("inline") their contents into the resulting CSS when the `(inline)` option is used.

Expand Down Expand Up @@ -59,4 +61,5 @@ curl -sk "${TARGET}rest/v10/css/preview?baseUrl=1&lm=${INJ}" | \

* [SugarCRM ≤ 14.0.0 (css/preview) LESS Code Injection Vulnerability](https://karmainsecurity.com/KIS-2025-04)
* [SugarCRM Security Advisory SA-2024-059](https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
* [CVE-2024-58258](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-58258)
{{#include ../../../banners/hacktricks-training.md}}