FORCEDENTRY Exploit of NSO Group
Google’s Project Zero team has published an analysis of the FORCEDENTRY exploit that was used by NSO Group to infect target iPhones with its Pegasus spyware via iMessage. Originally first found in iPhone of an activist during March 2021.
This exploit is one of the most technically sophisticated exploits we’ve ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.
The resulting breakdown covers everything from iMessage’s built-in support for GIFs which Project Zero helpfully defines as “typically small and low quality animated images popular in meme culture” to a PDF parser that supports the relatively ancient JBIG2 image codec.
JBIG2 doesn’t have scripting capabilities, but when combined with a vulnerability, it does have the ability to emulate circuits of arbitrary logic gates operating on arbitrary memory. Using over 70,000 segment commands defining logical bit operations, they define a small computer architecture with features such as registers and a full 64-bit adder and comparator which they use to search memory and perform arithmetic operations.
NSO Group used an image codec that was made to compress black-and-white PDFs so it could get something “fundamentally computationally equivalent” to the programming language that allows web apps to function onto a target’s iPhone.
The bootstrapping operations for the sandbox escape exploit are written to run on this logic circuit and the whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream.
Apple patched FORCEDENTRY with the release of iOS 14.8 and included additional changes in iOS 15 to prevent similar attacks. But the worrying part isbreaking up its technical analysis into two blog posts, and it says the second isn’t finished yet.