{"uuid": "f24058de-20a6-4d0b-b5ea-f0f9dc41b0fd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2023-32435", "type": "exploited", "source": "https://t.me/alexmakus/5221", "content": "\u0421\u043f\u0435\u0446\u0438\u0430\u043b\u0438\u0441\u0442\u044b \u041b\u041a \u0440\u0430\u0441\u0441\u043a\u0430\u0437\u044b\u0432\u0430\u044e\u0442 \u043e\u0431 \u00ab\u043e\u043f\u0435\u0440\u0430\u0446\u0438\u0438 \u0442\u0440\u0438\u0430\u043d\u0433\u0443\u043b\u044f\u0446\u0438\u044f\u00bb, \u0433\u0434\u0435 \u043f\u043e\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u044c \u0438\u0437 4 \u0443\u044f\u0437\u0432\u0438\u043c\u043e\u0441\u0442\u0435\u0439 \u043d\u0443\u043b\u0435\u0432\u043e\u0433\u043e \u0434\u043d\u044f \u0432 iOS \u043f\u043e\u0437\u0432\u043e\u043b\u044f\u043b\u0430 \u0441\u043e\u0437\u0434\u0430\u0442\u044c \u044d\u043a\u0441\u043f\u043b\u043e\u0439\u0442, \u043d\u0435 \u0442\u0440\u0435\u0431\u043e\u0432\u0430\u0432\u0448\u0438\u0439 \u0443\u0447\u0430\u0441\u0442\u0438\u044f \u043f\u043e\u043b\u044c\u0437\u043e\u0432\u0430\u0442\u0435\u043b\u044f:\n\n \u2022 Attackers send a malicious iMessage attachment, which the application processes without showing any signs to the user.\n \u2022 This attachment exploits the remote code execution vulnerability\u00a0CVE-2023-41990\u00a0in the undocumented, Apple-only ADJUST TrueType font instruction. This instruction had existed since the early nineties before a patch removed it.\n \u2022 It uses return/jump oriented programming and multiple stages written in the NSExpression/NSPredicate query language, patching the JavaScriptCore library environment to execute a privilege escalation exploit written in JavaScript.\n \u2022 This JavaScript exploit is obfuscated to make it completely unreadable and to minimize its size. Still, it has around 11,000 lines of code, which are mainly dedicated to JavaScriptCore and kernel memory parsing and manipulation.\n \u2022 It exploits the JavaScriptCore debugging feature DollarVM ($vm) to gain the ability to manipulate JavaScriptCore\u2019s memory from the script and execute native API functions.\n \u2022 It was designed to support both old and new iPhones and included a Pointer Authentication Code (PAC) bypass for exploitation of recent models.\n \u2022 It uses the integer overflow vulnerability\u00a0CVE-2023-32434\u00a0in XNU\u2019s memory mapping syscalls (mach_make_memory_entry and vm_map) to obtain read/write access to the entire physical memory of the device at user level.\n \u2022 It uses hardware memory-mapped I/O (MMIO) registers to bypass the Page Protection Layer (PPL). This was mitigated as\u00a0CVE-2023-38606.\n \u2022 After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device including running spyware, but the attackers chose to: (a) launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; (b) run a Safari process in invisible mode and forward it to a web page with the next stage.\n \u2022 The web page has a script that verifies the victim and, if the checks pass, receives the next stage: the Safari exploit.\n \u2022 The Safari exploit uses\u00a0CVE-2023-32435\u00a0to execute a shellcode.\n \u2022 The shellcode executes another kernel exploit in the form of a Mach object file. It uses the same vulnerabilities:\u00a0CVE-2023-32434\u00a0and\u00a0CVE-2023-38606. It is also massive in terms of size and functionality, but completely different from the kernel exploit written in JavaScript. Certain parts related to exploitation of the above-mentioned vulnerabilities are all that the two share. Still, most of its code is also dedicated to parsing and manipulation of the kernel memory. It contains various post-exploitation utilities, which are mostly unused.\n \u2022 The exploit obtains root privileges and proceeds to execute other stages, which load spyware. We covered these stages in our previous posts.\n\nhttps://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/", "creation_timestamp": "2023-12-28T03:17:18.000000Z"}