{"id":34477,"date":"2021-12-17T11:28:34","date_gmt":"2021-12-17T16:28:34","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=34477"},"modified":"2024-09-16T20:44:35","modified_gmt":"2024-09-17T00:44:35","slug":"forcedentry-imessage-zero-click-remote-code-execution","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2021\/12\/17\/forcedentry-imessage-zero-click-remote-code-execution\/","title":{"rendered":"FORCEDENTRY iMessage Zero-click Remote Code Execution"},"content":{"rendered":"

Ian Beer & Samuel Groß<\/a> (Hacker News<\/a>):<\/p>\n

Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.<\/p>

The vulnerability discussed in this blog post was fixed on September 13, 2021 in iOS 14.8<\/a> as CVE-2021-30860.<\/p>

[…]<\/p>

Using this “fake gif” trick, over 20 image codecs are suddenly part of the iMessage zero-click attack surface, including some very obscure and complex formats, remotely exposing probably hundreds of thousands of lines of code.<\/p><\/blockquote>\n

My question<\/a> answered: iMessage was calling into ImageIO from outside of the Blast Door sandbox.<\/p>\n

The CoreGraphics PDF parser doesn’t seem<\/em> to interpret javascript, but NSO managed to find something equally powerful inside the CoreGraphics PDF parser…<\/p>

[…]<\/p>

As mentioned above, the substitution based compression output is lossy. After a round of compression and decompression the rendered output doesn’t look exactly like the input. But JBIG2 also supports lossless compression as well as an intermediate “less lossy” compression mode. […] Rather than completely encoding the entire difference in one go, it can be done in steps, with each iteration using a logical operator (one of AND, OR, XOR or XNOR) to set, clear or flip bits. Each successive refinement step brings the rendered output closer to the original and this allows a level of control over the “lossiness” of the compression. The implementation of these refinement coding steps is very flexible and they are also able to “read” values already present on the output canvas.<\/p>

[…]<\/p>

The heap groom also places the current page’s backing buffer just below the undersized syms<\/code> buffer, such that when the page JBIG2Bitmap<\/code> is unbounded, it’s able to read and write its own fields[…]<\/p>

[…]<\/p>

JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own<\/em> computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations.<\/p><\/blockquote>\n\n

Matthew Green<\/a>:<\/p>\n

\n

I got to this part in the exploit description and it stopped being an exploit, became something more like art.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n