zero-click iMessage exploit
The image files tricked the iPhone into giving access to its entire memory, bypassing security and allowing the installation of spyware that would steal a user’s messages. - HN / Project Zero
-
iMessage has a feature to send and receive GIFs
-
These GIFs are copied to a specific path early in the message processing pipeline (even before the message is displayed)
-
But the copy code doesn’t just copy the GIF. It uses the CoreGraphics APIs renders the image to a new GIF file at the destination path.
-
The code uses the ImageIO lib to guess the image format, ignoring the .gif file extension. So you can trick this code to accept a non-GIF file.
-
You can use the above to invoke one of over 20 image codecs that were not intended to be invoked in this code, including the CoreGraphics PDF parser.
-
CoreGraphics PDF parser has a very specific vulnerability in its JBIG2 image codec.
-
JBIG2 takes an image of text, identifies repeating glyphs and uses that fact for better compression. To avoid confusing slightly differing glyphs in things like images of poor quality prints (think e and é, or 3 and 8), it has a way of applying a diff over each instance of an identified repeating glyph.
-
This logic has an integer overflow bug: the ‘number of symbols’ variable is a 32-bit integer, which can be overflowed using a carefully crafted file. Now the attacker can can set the buffer for symbols to a much smaller value.
-
Making a long story short, this allows overwriting heap memory, setting arbitrary values in the objects used in the JBIG2 logic.
-
The JBIG2 logic uses AND, OR, XOR and XNOR operations when iterating through these objects (to apply the ‘diff’ on glyphs). The attacker can craft a file that strings together these logic operations so that it basically forms a software logic circuit.
-
So this exploit basically emulates a computer architecture inside an image codec, which can be used to operate on arbitrary memory!