When you’re a expertise fanatic, you have in all probability heard of “one-click” malware. That is fairly scary stuff in its personal proper: one click on of a carefully-crafted hyperlink in an e-mail or different textual content message, and also you’re contaminated. One-click malware has been round a very long time, however there’s one thing even worse today. It is zero-click malware and that is precisely what the NSO Group’s “FORCEDENTRY” exploit was.
From a person perspective, all that was required to be hit by FORCEDENTRY was merely receiving a textual content message. You didn’t should click on on any hyperlinks, nor settle for or approve something. As soon as the person receives the message, they’re contaminated with the Pegasus malware, which permits the distant person to steal messages, images, emails, calls, and even secretly file customers.
That is not what occurred right here. As a substitute, the PDF contained an information stream in JBIG2 format. JBIG2 is a little-known picture format from 2000 that was created for fax machines and scanners. Somewhat than compressing picture knowledge like JPEG, JBIG2 makes an attempt to intelligently compress paperwork by changing each occasion of comparable glyphs (that’s, particular person characters) with a single occasion of every glyph. It is not doing OCR; it would not perceive that the pictures are textual content. The algorithm is simply looking for out similar-looking characters and changing them with the primary occasion of that character.
So how do you get from “parsing a picture for show” to “full-on distant code execution?” The satan is within the particulars of how the JBIG2 format works. JBIG2 has issues as a compression format. Paperwork scanned into the JBIG2 format can have characters changed with similar-looking characters, like a 6 being was an 8, for instance, which is an actual downside for issues like medical paperwork or development blueprints. That challenge led to it being banned in Germany and Switzerland. JBIG2 does have lossless and “less-lossy” codecs, although, and it is the latter of these which led to this safety gap.
As a part of the less-lossy JBIG2 format, streams can comprise directions to control the picture knowledge utilizing logical operators, like AND, OR, XOR, or XNOR. Utilizing these operators, you possibly can simply type a NAND gate, which implies you possibly can carry out any computing operation conceivable, however JBIG2 is a linear format—the Apple picture parser goes to learn out the info stream as soon as and solely as soon as.
Developing a NAND gate from AND and NOR gates. Picture: Challenge Zero
The way in which you get round that is by exploiting a plain-jane buffer overflow vulnerability within the open-source Xpdf library that Apple makes use of to decode PDFs. This buffer overflow is the crux of the exploit, however it’s not the intelligent half. After performing the buffer overflow, the JBIG2 stream is free to jot down to arbitrary reminiscence. Utilizing the binary operations constructed into the JBIG2 format, the hackers assemble a small digital CPU within the telephone’s reminiscence, after which use that to flee Apple’s sandbox and pwn the telephone.
In case it is not clear, for example it once more: the JBIG2 format lacks scripting talents, however mixed with the buffer overflow flaw in Xpdf, it has the power to “emulate circuits of arbitrary logic gates working on arbitrary reminiscence.” They can not run code inside a JBIG2 picture, however they will create a digital processor in RAM after which run code on that processor.
Challenge Zero hasn’t defined the small print of how the digital processor’s operations escape Apple’s sandbox across the picture transcoding course of, however no matter that exploit is, it is nearly actually not as unbelievable as what the hackers did to get that far within the first place.