{"id":39201,"date":"2023-04-27T15:37:53","date_gmt":"2023-04-27T19:37:53","guid":{"rendered":"https:\/\/mjtsai.com\/blog\/?p=39201"},"modified":"2024-09-16T20:45:55","modified_gmt":"2024-09-17T00:45:55","slug":"zero-click-exploits-against-ios-16","status":"publish","type":"post","link":"https:\/\/mjtsai.com\/blog\/2023\/04\/27\/zero-click-exploits-against-ios-16\/","title":{"rendered":"Zero-Click Exploits Against iOS 16"},"content":{"rendered":"

Citizen Lab<\/a> (Hacker News<\/a>):<\/p>\n

\n

Our ensuing investigation led us to conclude that, in 2022, NSO Group customers widely deployed at least three iOS 15 and iOS 16 zero-click exploit chains against civil society targets around the world.<\/p>\n

NSO Group’s third and final known 2022 iOS zero-click, which we call “PWNYOURHOME<\/i><\/b>,<\/i>” was deployed against iOS 15 and iOS 16 starting in October 2022. It appears to be a novel two-step<\/i> zero-click exploit, with each step targeting a different<\/i> process on the iPhone. The first step targets HomeKit<\/i>, and the second step targets iMessage.<\/p>\n

[…]<\/p>\n

Logs from another PWNYOURHOME<\/i><\/b>-exploited device from the 2022 global target pool examined in the course of this investigation showed the homed<\/i> process decoding what appears to be an unusual NSKeyedUnArchiver<\/i> when it crashed.<\/p>\n<\/blockquote>\n

It sounds like Apple was not using NSSecureCoding<\/code>.<\/p>\n

Logs from yet another PWNYOURHOME<\/i><\/b>-exploited device from the 2022 target pool show that, following the homed<\/i> phase of PWNYOURHOME<\/i><\/b>, the phone downloaded PNG images from iMessage. Processing these images caused crashes in the MessagesBlastDoorService<\/i> process. These crashes give us glimpses of what the exploit was doing at various stages, and suggest that the exploit may have circumvented pointer authentication codes<\/a> (PAC) in some cases by repurposing PAC-valid pointers already present in memory, such as signed pointers to callback functions present in constant structs.<\/p><\/blockquote>\n\n

Bruce Schneier<\/a>:<\/p>\n

\n

One interesting bit is that Apple’s Lockdown Mode (part of iOS 16) seems to have worked to prevent infection.<\/p>\n<\/blockquote>\n\n

Zach Cutlip<\/a>:<\/p>\n

\n

What follows is a writeup of the kernel bugs NSO Group’s Pegasus spyware exploited in iOS 9, specifically versions 9.3.4 and earlier. The spyware was discovered and the vulnerabilities patched roughly six years ago.<\/p>\n<\/blockquote>\n\n

Previously:<\/p>\n