Merge branch 'HackTricks-wiki:master' into rustnotes

MustCodeAl · web-flow · commit b944de0d9a12 · 2026-02-20T23:04:13.000-06:00
diff --git a/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md b/src/generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md
@@ -90,7 +90,7 @@ Structural signals:
 Pseudo‑logic:
 
 ```pseudo
-# Flag undocumented TrueType opcodes leveraged by TRIANGULATION
+# Flag undocumented TrueType bytecode leveraged by TRIANGULATION
 switch opcode:
   case 0x8F, 0x90:
     mark_malicious("Undocumented TrueType bytecode")
@@ -172,10 +172,54 @@ Notes:
 
 ---
 
+## HEIF/AVIF – libheif & libde265 (CVE‑2024‑41311, CVE‑2025‑29482, CVE‑2025‑65586)
+
+Target: HEIF/AVIF containers parsed by libheif (and ImageIO/OpenImageIO builds that bundle it).
+
+Structural signals:
+- Overlay items (iloc/iref) whose source rectangles exceed the base image dimensions or whose offsets are negative/overflowing → triggers ImageOverlay::parse out‑of‑bounds (CVE‑2024‑41311).
+- Grid items referencing non‑existent item IDs (ImageItem_Grid::get_decoder NULL deref, CVE‑2025‑43967) – easy structural check, no decoding required.
+- SAO/loop‑filter parameters or tile counts that force table allocations larger than the max allowed by libde265 (CVE‑2025‑29482): overly large band counts or slice dimensions.
+- Box length/extent sizes that point past EOF (typical in CVE‑2025‑65586 PoCs discovered via fuzzing).
+
+Pseudo‑logic:
+
+```pseudo
+# HEIF overlay bounds check
+for overlay in heif_overlays:
+    if overlay.x < 0 or overlay.y < 0: mark_malicious("HEIF overlay negative offset")
+    if overlay.x + overlay.w > base.w or overlay.y + overlay.h > base.h:
+        mark_malicious("HEIF overlay exceeds base image (CVE‑2024‑41311 pattern)")
+
+# Grid item reference validation
+for grid in heif_grids:
+    if any(ref_id not in item_ids):
+        mark_malicious("HEIF grid references missing item (CVE‑2025‑43967 pattern)")
+
+# SAO / slice allocation guard
+if sao_band_count > 32 or (tile_cols * tile_rows) > MAX_TILES or sao_eo_class not in {0..3}:
+    mark_malicious("HEIF SAO/tiling exceeds safe bounds (CVE‑2025‑29482 pattern)")
+```
+
+Practical triage:
+- Quick metadata sanity without full decode:
+  - heif-info sample.heic
+  - oiiotool --info --stats sample.heic
+- Validate extents versus file size:
+  - heif-convert --verbose sample.heic /dev/null | grep -i extent
+- Carve suspicious boxes for manual inspection:
+  - dd if=sample.heic bs=1 skip=$((box_off)) count=$((box_len)) of=box.bin
+
+Notes:
+- These checks catch malformed structure before heavy decode; useful for mail/MMS gateways that only need allow/deny decisions.
+- libheif limits shift across versions; re‑baseline constants when upstream changes (1.18.x → 1.21.x tightened overlay and grid validation).
+
+---
+
 ## Implementation patterns and performance
 
 A practical scanner should:
-- Auto‑detect file type and dispatch only relevant analyzers (PDF/JBIG2, WebP/VP8L, TTF, DNG/TIFF)
+- Auto‑detect file type and dispatch only relevant analyzers (PDF/JBIG2, WebP/VP8L, TTF, DNG/TIFF, HEIF/AVIF)
 - Stream/partial‑parse to minimize allocations and enable early termination
 - Run analyses in parallel (thread‑pool) for bulk triage
 
@@ -208,6 +252,8 @@ $ elegant-bouncer --tui --scan /path/to/samples
 - fontTools/ttx – dump TrueType tables and bytecode
 - exiftool – read TIFF/DNG/EXIF metadata
 - dwebp/webpmux – parse WebP metadata and chunks
+- heif-info/heif-convert (libheif) – HEIF/AVIF structure inspection
+- oiiotool – validate HEIF/AVIF via OpenImageIO
 
 ---
 
@@ -221,5 +267,7 @@ $ elegant-bouncer --tui --scan /path/to/samples
 - [Researching TRIANGULATION – Detecting CVE‑2023‑41990 with single‑byte signatures](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures/)
 - [CVE‑2025‑43300: Critical vulnerability found in Apple’s DNG image processing](https://www.msuiche.com/posts/cve-2025-43300-critical-vulnerability-found-in-apples-dng-image-processing/)
 - [LANDFALL: New Commercial-Grade Android Spyware in Exploit Chain Targeting Samsung Devices](https://unit42.paloaltonetworks.com/landfall-is-new-commercial-grade-android-spyware/)
+- [CVE‑2024‑41311 analysis (libheif overlay OOB)](https://www.wiz.io/vulnerability-database/cve/cve-2024-41311)
+- [CVE‑2025‑65586 libheif metadata iterator flaw](https://securityonline.info/cve-2025-65586-libheif-flaw-exposes-image-decoders-to-denial-of-service/)
 
 {{#include ../../../banners/hacktricks-training.md}}
