Participants of the Google Project Zero project working in the field of information security, together with colleagues from Apple Security Engineering and Architecture, studied in detail the complex FORCEDENTRY exploit, which was developed by the Israeli company NSO Group and is designed to hack iOS devices. The results of the work done were recently published in the official blog of the project.
The report notes that the mentioned exploit is one of the most complex tools from a technical point of view, with which the researchers had to work. To use it, a specially configured file with the GIF extension is transferred to the victim’s devices via the iMessage application, which emulates a virtual processor with 70 thousand logical elements used to go beyond the sandbox. After that, attackers gain full control over the victim’s device, which allows remote code execution and other actions.
The exploit exploits the CVE-2021-30860 vulnerability, which was patched on September 13th when Apple released iOS 14.8. A sample of malicious software for study was provided by Citizen Lab staff. One of the features of the exploit is that it does not require interacting with the victim to use it, while many other tracking tools are activated only after the victim follows the malicious link. In the case of FORCEDENTRY, the attacker does not need to send a phishing message.
The attack begins by sending a file with the GIF extension to the victim’s smartphone. IOS uses the iMessage app to work with text and animated messages, which automatically loops GIF animations for better viewing. Immediately after receiving the animation, iMessage uses a special API to render the original file into a new one, which will be played back in a loop when viewed.
However, the GIF extension does not mean that the file is an animation yet. In fact, the attacker uses this extension to transfer the PDF file, which iMessage also tries to process as a regular GIF file. This is due to the fact that the library used to define the file format does not pay attention to their extensions. Inside the PDF are images in the JBIG2 format (an image compression format used in the past in printers and copiers). In this format, compression occurs by dividing the image into elements and, if parts are sufficiently similar to each other, then the same element is used for their subsequent display.
Ultimately, malware uses an integer overflow to overflow the buffer, which uses a virtual processor built on the basis of basic logical operations when superimposing the difference of image elements in the JBIG2 stream. More than 70,000 gates define the architecture of the virtual computer, with functions such as registers and a full 64-bit adder and comparator used to find memory offsets and go beyond the sandbox. After that, the attackers gain complete control over the attacked device.
Researchers at Project Zero promptly notified Apple of the identified issue. The fix for the vulnerability became part of iOS 14.8, which was released in September this year.
If you notice an error, select it with the mouse and press CTRL + ENTER.