Project Zero: A Deep Dive Into an N.S.O. Zero-Click iMessage Exploit

Ian Beer and Samuel Groß of Google Project Zero:

Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.

I won’t claim to understand all of this — pointer programming was never my forte — but the overall explanation here is very cogent, and easy to follow. Basically, NSO Group’s exploit involved sending an iMessage-using target a PDF file with a .gif file name extension. The PDF file contained an image in the semi-obscure JBIG2 format, a black-and-white format created for fax machines in the late 1990s. Apple’s image-processing code for JBIG2 streams had a buffer overflow bug. Then it gets a little eye-popping:

JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations. It’s not as fast as Javascript, but it’s fundamentally computationally equivalent.

The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream. It’s pretty incredible, and at the same time, pretty terrifying.

Tuesday, 21 December 2021