Recently, cybersecurity researchers from Google Project Zero analyzed FORCEDENTRY malware developed by the Israeli company NSO Group. It made it possible to jailbreak Apple devices without the owner’s knowledge and install the Pegasus spyware. The researchers called FORCEDENTRY “one of the most technically sophisticated exploits” they have ever seen.
FORCEDENTRY exploited a vulnerability in the Apple iMessage service. As RUH8 explained, people send each other GIFs, and iMessage makes them spin forever. To do this, you need to correct the checkbox in the GIF header. In order not to spoil the file, iMessage makes a copy of it. But by mistake, instead of copying, rendering of images is called. For example, malware slips a PDF under the guise of GIFs. And inside the PDF there is a JBIG2 picture. This is a graphics format for photocopiers. To keep the files small, he cuts the picture into pieces. If the pieces, for example the letter “a”, are quite similar to each other, then he uses one glyph for everything, like a typographic letter. To avoid confusion in this regard, masks were added to the format – the difference between a “similar” glyph and the one that needs to be reproduced. These corrections are applied to the glyph using AND, OR, XOR, and XNOR operations.
Further, the authors of the exploit used an integer overflow to overflow the buffer boundaries. As a result, they got two main primitives for reading and writing to arbitrary memory locations.
In short, everything was done like this: the user receives a GIF, which is actually a PDF, they are trying to read it by mistake, and it contains a picture in copier format, which, as a result of an integer overflow, can write to memory. Inside this “picture” there are seventy thousand blocks of logical operations that emulate a small computer. He finds the place in memory that needs to be patched in order to escape from the sandbox.