NSO zero-click exploit: Turing complete CPU in image file



Researchers reverse-engineered the NSO Group new zero-click iPhone exploit – from the Pegasus spyware suite. And it’s bullshit: people use words like “terrifying,” “alarming,” “dangerous,” “strange,” “amazing,” “impressive,” “brilliant” and “ridiculous”.

But what would Alan Turing think? Google Project Zero relied on its eponymous theory of “completeness” to describe the more bizarre aspect of this malware, called FORCE ENTRY. It actually implements a Turing complete virtual machine in an image file.

It uses a parser for JBIG2– an outdated file format. In today’s SB Blogwatch, we wonder what other bad guys are lurking in unmaintained, older open source code.

Your humble blog watcher has curated these bloggy pieces for your entertainment. Not to mention: Al I at o Crsms.

SEAR + GP0 vs. NSO

What is that craic? Nathaniel Mott reports – “Project Zero goes deep into FORCEDENTRY“:

A technical analysis of the FORCEDENTRY exploit, [which] was used by the NSO Group to infect target iPhones with their Pegasus spyware via iMessage … … Google’s Project Zero … says it analyzed FORCEDENTRY after Citizen Lab with the support of Apple’s Security Engineering and Architecture (SEAR) Group did a Shared sample of the exploit.

The NSO Group used an image codec designed to compress black and white PDFs to create something “computationally equivalent” to the programming language that enables web apps to work on a target’s iPhone. … Project Zero says, “It’s pretty incredible and pretty terrifying at the same time.”

Remind me? Anthony Bouchard reminds us – “Detailed report on FORCEDENTRY Zero-Click“:

Even more alarming”
The iOS & iPadOS 14.8 update that Apple brought to market in mid-September was more than just a feature update. It also [fixed] a fairly dangerous zero-click iMessage exploit called FORCEDENTRY (CVE-2021-30860).

The FORCEDENTRY exploit was bundled in a spyware commonly known today as Pegasus and effectively took advantage of a bug in CoreGraphics to bypass the BlastDoor iMessage protection of iOS and iPadOS 14. … More alarming is the realization that by receiving a maliciously crafted PDF document, a victim could have been exposed to remote execution of arbitrary code.

Horse mouths? Ian Beer and Samuel Groß— “A deep dive into an NSO zero click“:

Strange, emulated environment”
The first entry point for Pegasus on iPhone is iMessage. This means that a victim can only be attacked with their phone number or AppleID.

Just because the source filename has to end in .gif doesn’t mean it’s really a GIF. … With this “fake gif” trick, suddenly over 20 image codecs are part of iMessage’s zero-click attack surface, including some very obscure and complex formats [including] the JBIG2 implementation … whose source code is freely available. … The weak point is a classic integer overflow when collecting referenced segments. … syms indicates an undersized buffer [then] the bunch is so well cared for that the first few copy off the end … corrupt themGList Buffer storage.

[This] Compression format is Turing-complete! … It is possible to… logical operators… to use the memory at any offsets outside the limits. … With the available logical operators AND, OR, XOR and XNOR you can actually calculate any computable function. … So why not just use it to build your own computer architecture and write the script !? This is exactly what this exploit does.

They define a small computer architecture with features like registers and a full 64-bit adder and comparator. … It’s all in this weird, emulated environment, created from a single decompression pass through a JBIG2 stream.

Turing completed? ELI5. Jonas Bučinskas explains as if I were five (-ish):

A question”
Pretty amazing and terrifying stuff. You built a damn computer in a compromised renderer.

I’m sure most script kiddies only have one question on their mind: can this computer do Doom?

Wait. Break. Say that again? JustAnotherOldGuy sounds impressed:

A virtual CPU created from custom Boolean pixel operations.

That’s some impressive ****. It is really brilliant.

But how is that possible? Hold my beer, says Luke McCarthy:

It's very easy”
File formats are a type of programming language. You have a grammar, and when you start adding functionality beyond a literal representation of data it’s very easy to accidentally make it Turing-complete.

With a thought experiment it’s Joe Rozner—@JRozner:

I have this crazy idea”
That’s ridiculous as hell. I wonder how the meeting was where someone shared the mistake and said, “Now listen to me, I have this crazy idea how to actually use this.”

How can you protect yourself against this? Sounds like a job for a fuzzer, thinks Phantom five:

Mathematically complex”
Code for analyzing images should always be tested very well as it is a fertile source of exploits. The reason for this is that it is mathematically complex and not always obvious when a buffer overflows.

In the meantime, Citizen Lab’s John Scott-Railton has the final say.@JSRailton:

This type of ability was previously only seen with top-tier cyber power. Should send a chill down your spine.

Emphasizes how dangerous NSO and colleagues are.

And finally:

Sloths make me happy

[Don’t turn on closed captions if easily offended]

Before in And finally

they have read SB blog watch through Richi Jennings. Richi curates the best blogs, the best forums, and the craziest websites … so you don’t have to. Hate mail can be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E & Ö. 30th



About Author

Comments are closed.