Back in June of this year, Apple discovered the “Operation Triangulation” vulnerability in the iOS 16.5.1 release.
Today, Kaspersky Lab detailed this iOS vulnerability for the first time, which limits access to the device and the collection of all user data via iMessage. Security researchers Boris Larin, Leonid Bezverchenko and Georgy Kucherin explained what the virus is and how it works.
An attack of four zero-day vulnerabilities. Here’s what it looked like step by step:
1. The attackers send a competing iMessage attachment, which it processes without allowing any additional intervention.
2. The app has a remote code execution vulnerability, CVE-2023-41990, in the undocumented ADJUST statement for TrueType fonts, which only appears on Apple devices. It has existed since the early 90s and was removed in a patch that was released.
3. This attack used red- and transition-oriented programming techniques. Hacking the command in several stages using NSExpression/NSPredicate language queries. Changes were made to the JavaScriptCore library on Wednesday to allow JavaScript to be exponentially adjusted for privilege escalation.
4. The exploit is obfuscated with the goal of making it completely unreadable and minimizing it. About 11,000 lines of code dedicated to JavaScriptCore and core memory manipulation.
5. The virus uses DollarVM ($vm), a JavaScriptCore debugging functionality, to manipulate JavaScriptCore memory from a script and execute its own API functions.
6. The exploit is designed to run on old and new iPhones and bypasses the Pointer Authentication Code (PAC) to work on newer models.
It exploits the XNU kernel memory system call integer difficulty vulnerability CVE-2023-32434. This allowed user-level read-write access to all of the device’s physical memory.
To bypass the PPL, hardware memory input/output (MMIO) registers were used. This issue has been addressed in CVE-2023-38606.
7. The virus takes full control of the phone and can launch spyware. However, the hackers decided to do something different: they launched the IMAgent process and injected it with a payload that erased traces of operation from the device; launched the Safari process in the background and redirected it to a special site to proceed to the next stage.
8. This site contains a script that verifies the victim, and if the verification is successful, it proceeds to the next stage – enabling the exploit for Safari. It uses CVE-2023-32435 related to shellcode execution.
9. The shellcode launches another kernel exploit in the form of a Mach object file. It exploits the same vulnerabilities CVE-2023-32434 and CVE-2023-38606.
Most of the code is designed to read and manipulate kernel memory. It provides various utilities for working with already compromised devices that have been largely unused.
10. The exploit gains root privileges and proceeds to perform other steps that download surveillance software for the user.
The researchers noted that they have nearly redesigned “every aspect of this attack chain” and will publish more papers detailing each vulnerability in 2024. [9to5]
Source: Iphones RU
I am a professional journalist and content creator with extensive experience writing for news websites. I currently work as an author at Gadget Onus, where I specialize in covering hot news topics. My written pieces have been published on some of the biggest media outlets around the world, including The Guardian and BBC News.
