NSO Zero-Click Exploit: Turing-Complete CPU in Image File
Researchers reverse engineered NSO Group recent zero-click iPhone exploit from the Pegasus spyware suite. And it’s a doozy: people use words like “terrifying”, “alarming”, “dangerous”, “strange”, “incredible”, “impressive”, “brilliant” and “ridiculous”.
But what would Alan Turing think? Google Project Zero has invoked its eponymous “completeness” theory to describe the most bizarre aspect of this malware, dubbed FORCED ENTRY. It actually implements a Turing-complete virtual machine in an image file.
It operates a parser for JBIG2—an obsolete file format. In today’s SB Blogwatch, we wonder what other bad guys lurk in the unmaintained legacy open source code.
Your humble blogwatcher has curated these blog bits for your entertainment. Without forgetting: Al I at o Crsms.
SEAR+GP0 versus NSO
What is craic? Nathaniel Mott reports—”Project Zero Goes Deep on FORCEDENTRY”:
A technical analysis of the FORCEDENTRY exploit, [which] was used by the NSO Group to infect target iPhones with its Pegasus spyware via iMessage… says, “We believe this is one of the most technically sophisticated exploits we have ever seen.” … Google’s Project Zero … says it analyzed FORCEDENTRY after Citizen Lab shared a sample of the exploit with help from Apple’s Security Engineering and Architecture (SEAR) group.
NSO Group used an image codec designed to compress black-and-white PDFs into something “fundamentally computationally equivalent” to the programming language that allows web apps to run on the iPhone of a target. … Project Zero says, “It’s pretty amazing, and at the same time, pretty terrifying.
Call me back? Anthony Bouchard reminds us—”In-depth briefing on FORCEDENTRY zero-click”:
“Even more alarming”
The iOS and iPadOS 14.8 update Apple rolled out in mid-September was more than just a feature update. This too [fixed] a significantly dangerous no-click iMessage exploit called FORCEDENTRY (CVE-2021-30860).
The FORCEDENTRY exploit was embedded in spyware now commonly referred to as Pegasus, and it effectively used a bug in CoreGraphics to bypass the BlastDoor iMessage protections of iOS and iPadOS 14. …Even more alarming is the realization that in receiving a maliciously crafted PDF document, a victim could have been left open to remote arbitrary code execution.
The horse’s mouth? Ian Beer and Samuel Groß—”A deep dive into zero-click NSO”:
“Strange and emulated environment”
Pegasus’ initial entry point on iPhone is iMessage. This means that a victim can be targeted simply by using their phone number or Apple ID.
Just because the source file name must end in .gif doesn’t mean it’s really a GIF. …using this “fake gif” trick suddenly over 20 image codecs become part of iMessage’s no-click attack surface, including some very obscure and complex formats [including] the JBIG2 implementation… whose source code is freely available. … The vulnerability is a typical integer overflow when assembling referenced segments. … Syms points to a buffer that is too small [then] the heap is neat in such a way that the first erasures from the end… corrupt theGList backup buffer.
[This] compression format is Turing-complete! … It is possible to apply … logical operators … on memory at arbitrary out-of-bounds offsets. …with only the logical operators AND, OR, XOR and XNOR available, you can actually calculate any computable function. … So why not just use it to create your own IT architecture and script it! ? That’s exactly what this exploit does.
They define a small computer architecture with features like registers and a full 64-bit adder and comparator. …The whole thing works in this weird, emulated environment created from a single decompression pass through a JBIG2 stream.
Full shoot? ELI5. Jonas Bucinskas explains as if I was five (-ish):
Pretty amazing and terrifying things. They built a fucking computer in a compromised rendering engine.
I’m sure most script kiddies have only one question in mind: can this computer run Doom?
Wait. Pause. Repeat that? JustAnotherOldGuy seems impressed:
A virtual processor built from custom-coded pixel boolean operations.
It is an impressive ****. It’s great, really.
But how is this possible? Hold my beer, says Luke McCarthy:
“It's very easy”
File formats are a kind of programming language. They have grammar, and when you start adding functionality beyond a literal data representation, it’s very easy to accidentally make it Turing-complete.
With a thought experiment, it’s Joe Rozner—@JRozner:
“I have this crazy idea”
It’s ridiculous. I wonder what the meeting was like where someone shared the bug and was like, “Now listen to me, I have this crazy idea of how to actually use this.”
How to protect against this? Sounds like a job for a fuzzer, phantomfive thinks:
Image analysis code should always be very well tested, as it is a fruitful source of exploits. The reason is that it’s mathematically complex and it’s not always obvious when a buffer will overflow.
During this time, the last word must go to John Scott-Railton of Citizen Lab—@JSRailton:
This type of ability was previously only available with foreground cyberpowers. That should send shivers down your spine.
Highlights how dangerous NSOs and peers are.
sloths make me happy
[Don’t turn on closed captions if easily offended]
Previously in And finally
Have you read SB Blogwatch by Richi Jennings. Richi curates the best blogs, the best forums, and the weirdest websites…so you don’t have to. Hate messages may be directed to @RiCHi Where [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.