9 entry daha
  • özet: imessage ile gif görünümlü bir pdf yolluyorlar. bu pdf de, pdf görünümlü bir binary dosyası. mesajı açınca telefon bu imajı oynatmaya çalışıyor, fakat dosya pdf göründüğünden apple'ın pdf görüntüleyicisi jbig2 codec'i ile çalıştırılıyor. jbig2, turing complete olduğu için, dosya içindeki kod ile telefon içinde gizli bir bilgisayar oluşturuyorlar ve kullanıcının haberi olmadan verilerine erişebiliyorlar. bir de zero-click denmiş, fakat tam da zero-click değil sanırım, çünkü kullanıcının imessage'ı açması ve telefonun o imajı oynatmaya çabalaması gerekiyor.

    reddit'ten:

    "if you want a sense for how sophisticated these nation state developed exploits are, check out google project zero's writeup on the technical details of a version of the exploit an older version of the pegasus spyware from 2021 used. tl;dr:

    1. send the victim an imessage with a specially crafted "gif" attachment, which is not really a gif, but a pdf with a .gif extension.

    2. imessage thinks it's a gif though and uses its coregraphics apis to render it (so it'll auto-play and loop in your imessage app).

    3. because the actual binary content and headers are pdf, the coregraphics apis interpret it as a pdf, sending it to a pdf processing pipeline.

    4. the pdf makes use of an old, legacy compression / encoding format called jbig2. this codec is from the 1990s and practically nobody uses it, but ios' pdf libraries still support it.

    5. apple's jbig2 decoder implementation has an integer overflow bug, which the decoder then uses to allocate an undersized buffer, leading to a later buffer overflow.

    6. with some heap grooming, the buffer overflow can be used to overwrite vtable pointers on the heap in a limited way such that pointer authentication is still satisfied.

    7. with some more fine tuning, you have an arbitrary write primitive that can write anywhere in memory. but with aslr, you don't know the absolute memory addresses or offsets of the structures you want to overwrite to achieve general rce. and unlike in js, where you're running a scripting language is capable of dynamic computation, in the jbig2 decoding step, you're just a stream of pdf data that is being decoded in a single pass. by the end of that single pass you need to have completed the exploit. but you don't know ahead of time what you need to write and to where.

    8. turns out the jbig2 compression format is turing complete, which means you can implement any computable function you want in it! i.e., you can define a pdf in the language of jbig2 such that decoding the pdf is equivalent to simulating a computer. so you can use the compression format itself to define a micro computer architecture by crafting your pdf glyphs to simulate logic gates, and then use those to build up a mini cpu, complete with registers and a basic arithmetic logic unit. once you have your microarchitecture running inside the language of jbig2, you can use it to run arbitrary computation, finally allowing you to do complex computation and complete the exploit.

    it's insane levels of sophistication and professional, expert engineering."
hesabın var mı? giriş yap