NSO Group exploit emulates logic gates!

By: Doug S (foo.delete@this.bar.bar), December 17, 2021 11:36 am
Room: Moderated Discussions
Google Project Zero has a writeup of an investigation they did along with Apple engineers into NSO Group's zero click iOS exploit (the one publicized in September) that was used to spy on dissidents and journalists. It is pretty fascinating - one can only guess the amount of man hours that went into developing this!

The first stage of the exploit is of the type we're all too familiar with. In this case there was a bug in iMessage where a method that was intended to copy a GIF upon receipt did so by rendering it into a new GIF - and that rendering occurred outside of Apple's "BlastDoor" sandbox. Worse, any file ending in ".gif" was passed to this method, but the image renderer detected the type of image so it worked on any image type. Thus in this exploit, a PDF was provided with a GIF extension, which caused that to be rendered.

The second stage of the exploit leveraged a bug in open source JBIG2 code used inside Apple's PDF decoder which allowed a buffer overflow to access arbitrary memory. Perfect example of "legacy debt" since JBIG2 is functionally obsolete, but some very old PDF files won't render without it.

Since there was no way to run any code at this stage the worst that could be done with this exploit would be to crash the phone - since the use of ASLR means you don't know what is where without the ability to search through memory for something specific.

In the third stage they solved the inability to run code by leveraging JBIG2's bitmap operations to emulate AND, OR, XOR and XNOR, which of course allows emulating NAND gates. They used 70,000(!) such operations to emulate a simple CPU with a 64 bit adder, which allowed searching through memory to find what they needed, and move onto the fourth and subsequent stages of the exploit which eventually leveled up enough to take complete control of the phone.


Probably past due for software based "sandboxes" to go the way of the dodo, and leverage hypervisors to enforce them properly. That's not perfect (it isn't as though exploits to escape a VM don't exist) but at least buffer overflows in user space would be limited in scope. Sure there's a performance hit, but modern SoCs are so fast I don't think anyone would notice.
TopicPosted ByDate
NSO Group exploit emulates logic gates!Doug S2021/12/17 11:36 AM
Reply to this Topic
Body: No Text
How do you spell tangerine? ūüćä