{"uuid": "ac740b44-46eb-4e02-b0a1-39fe3c215f06", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2021-30860", "type": "published-proof-of-concept", "source": "https://t.me/crackcodes/1903", "content": "|FORCEDENTRY, \u0442\u044b \u0442\u0443\u0442?|\n\n\ud83d\udd75\ufe0f\u200d\u2642\ufe0f\u0414\u0443\u043c\u0430\u044e, \u0447\u0442\u043e \u043c\u043d\u043e\u0433\u0438\u0435 \u043d\u0435 \u0437\u0430\u0431\u044b\u043b\u0438 \u043f\u0440\u043e \u0441\u0434\u0435\u043b\u0430\u0432\u0448\u0438\u0439 \u043c\u043d\u043e\u0433\u043e \u0448\u0443\u043c\u0430 \u0433\u043e\u0434 \u043d\u0430\u0437\u0430\u0434 data-only 0-click RCE \u0441\u043f\u043b\u043e\u0439\u0442 FORCEDENTRY(CVE-2021-30860, integer overflow \u0432  JBIG2 \u0440\u0435\u0430\u043b\u0438\u0437\u0430\u0446\u0438\u0438 \u0434\u043b\u044f xpdf \u0432 Apple (JBIG2Stream::readTextRegionSeg(), \u043f\u043e\u0441\u0440\u0435\u0434\u0441\u0442\u0432\u043e\u043c \u043f\u0440\u043e\u0433\u0440\u0430\u043c\u043c\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u044f JBIG2 weird machine \u0432 \u043f\u0430\u0440\u0441\u0435\u0440\u0435), \u0447\u0442\u043e \u043e\u0442\u043d\u043e\u0441\u0438\u0442\u0441\u044f \u043a CoreGraphics \u043f\u043e \u0441\u0443\u0442\u0438) \u0447\u0435\u0440\u0435\u0437 iMessage \u043e\u0442 NSO Group. \u0422\u043e \u0435\u0441\u0442\u044c \u043f\u0440\u0438\u043b\u0435\u0442\u0430\u0435\u0442 \u0442\u0435\u0431\u0435 PDF \u0444\u0430\u0439\u043b, \u043a\u043e\u0442\u043e\u0440\u044b\u0439 \u044f\u043a\u043e\u0431\u044b \".gif\" \u0438 \u0437\u0430 \u0441\u0447\u0435\u0442 \u0442\u043e\u0433\u043e, \u0447\u0442\u043e IMTranscoderAgent \u0430\u043d\u0430\u043b\u0438\u0437\u0438\u0440\u043e\u0432\u0430\u043b \u043a\u0430\u043a \u0440\u0430\u0437 \u0442\u0430\u043a\u043e\u0433\u043e \u0440\u043e\u0434\u0430 \u0441\u0430\u043c\u043e\u0437\u0432\u0430\u043d\u0446\u0435\u0432 \u0437\u0430 \u043f\u0440\u0435\u0434\u0435\u043b\u0430\u043c\u0438 BlastDoor \u043f\u0435\u0441\u043e\u0447\u043d\u0438\u0446\u044b, \u0438\u0437\u0440\u0430\u0438\u043b\u044c\u0442\u044f\u043d\u0435 \u043c\u043e\u0433\u043b\u0438 \u0434\u043e\u0441\u0442\u0438\u0447\u044c SBX. \u0412 \u0434\u0435\u0439\u0441\u0442\u0432\u0438\u0442\u0435\u043b\u044c\u043d\u043e\u0441\u0442\u0438 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u044f \u0431\u044b\u043b\u0430 \u043d\u0430\u043c\u043d\u043e\u0433\u043e \u0441\u043b\u043e\u0436\u043d\u0435\u0435 \u0438 \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0447\u0438\u0442\u0430\u0442\u044c \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u0435\u0435: \u043d\u0430 \u043a\u0430\u043d\u0430\u043b\u0435, \u0442\u0443\u0442 \u0438 \u0442\u0443\u0442.\n\n\u041f\u0440\u0438\u0447\u0435\u043c \u0438\u0441\u0441\u043b\u0435\u0434\u043e\u0432\u0430\u0442\u0435\u043b\u0438 \u0438\u0437 Google Project Zero \u043d\u0435 \u0441\u043c\u043e\u0433\u043b\u0438 \u0443\u0441\u0442\u0430\u043d\u043e\u0432\u0438\u0442\u044c \u0442\u043e\u0447\u043d\u044b\u0439 \u0441\u043b\u0435\u0434 \u043f\u043e\u0441\u043b\u0435 IMTranscoderAgent SBX \u0438 \u043a\u0430\u043a \u043f\u0440\u0435\u0434\u043f\u043e\u043b\u043e\u0436\u0435\u043d\u0438\u0435 \u0432\u044b\u0434\u0432\u0438\u043d\u0443\u043b\u0438 \u043d\u0435\u0441\u043a\u043e\u043b\u044c\u043a\u043e \u0441\u0446\u0435\u043d\u0430\u0440\u0438\u0435\u0432 \u044d\u043a\u0441\u043f\u043b\u0443\u0430\u0442\u0430\u0446\u0438\u0438:\n1\ufe0f\u20e3iMessage RCE \u27a1\ufe0f IMTranscoderAgent SBX \u27a1\ufe0f iOS kernel LPE\n2\ufe0f\u20e3iMessage RCE \u27a1\ufe0f IMTranscoderAgent SBX \u27a1\ufe0f some_service \u27a1\ufe0f iOS kernel LPE\n\n\u041f\u0440\u043e\u0431\u043b\u0435\u043c\u0430 \u0434\u043b\u044f \u0431\u0435\u0437\u043e\u043f\u0430\u0441\u043d\u0438\u043a\u043e\u0432 \u0438 \u043f\u043e \u0441\u0435\u0439 \u0434\u0435\u043d\u044c \u0441\u0442\u043e\u0438\u0442 \u0432 \u0442\u043e\u043c, \u0447\u0442\u043e \u0432 \u043f\u0443\u0431\u043b\u0438\u0447\u043d\u043e\u043c \u0434\u043e\u0441\u0442\u0443\u043f\u0435 \u0434\u043e \u0441\u0438\u0445 \u043f\u043e\u0440 \u043d\u0435\u0442 \u0441\u044d\u043c\u043f\u043b\u043e\u0432(\u043e\u0442\u0441\u044e\u0434\u0430 \u043c\u043e\u0436\u0435\u043c \u0441\u0434\u0435\u043b\u0430\u0442\u044c \u0432\u044b\u0432\u043e\u0434, \u0447\u0442\u043e \u0441\u0442\u0430\u043d\u0434\u0430\u0440\u0442\u043d\u044b\u043c\u0438 \u043c\u0435\u0442\u043e\u0434\u0430\u043c\u0438 \u0434\u0435\u0442\u0435\u043a\u0442\u0438\u0442\u044c \u043d\u0435 \u0432\u044b\u0439\u0434\u0435\u0442). \u0412 \u044d\u0442\u043e\u043c \u043f\u043e\u0441\u0442\u0435 \u041c\u044d\u0442\u0442\u0430 \u043f\u043e\u043c\u0438\u043c\u043e \u0440\u0430\u0437\u0431\u043e\u0440\u0430 \u0430\u0442\u0430\u043a\u0438 \u0438\u0434\u0435\u0442 \u0440\u0435\u0447\u044c \u0438 \u043e \u0434\u0435\u0442\u0435\u043a\u0442\u0438\u0440\u043e\u0432\u0430\u043d\u0438\u0438 \u0431\u0435\u0437 \u0438\u0441\u043f\u043b\u044c\u0437\u043e\u0432\u0430\u043d\u0438\u044f \u0440\u0435\u0433\u0443\u043b\u044f\u0440\u043e\u043a \u0438\u043b\u0438 \u043f\u0440\u043e\u0432\u0435\u0440\u043e\u043a \u0438\u043c\u0435\u043d\u0438 \u043f\u0440\u043e\u0446\u0435\u0441\u0441\u0430, \u0432 \u043a\u043e\u043d\u0435\u0447\u043d\u043e\u043c \u0438\u0442\u043e\u0433\u0435 \u0431\u044b\u043b \u043f\u0440\u0435\u0434\u0441\u0442\u0430\u0432\u043b\u0435\u043d \u0438\u043d\u0441\u0442\u0440\u0443\u043c\u0435\u043d\u0442(ELEGANTBOUNCER) \u0434\u043b\u044f \u0430\u043d\u0430\u043b\u0438\u0437\u0430 \u0444\u0430\u0439\u043b\u043e\u0432 non-fileless(data-only) \u0430\u0442\u0430\u043a\u0438, \u043f\u0440\u0438\u0447\u0435\u043c \u043d\u0435 \u043e\u0441\u043d\u043e\u0432\u044b\u0432\u0430\u044f\u0441\u044c \u043d\u0430 \u0441\u044d\u043c\u043f\u043b\u0430\u0445. \n\n\ud83d\udd16\u0411\u043e\u043b\u0435\u0435 \u043f\u043e\u0434\u0440\u043e\u0431\u043d\u043e \u043c\u043e\u0436\u043d\u043e \u043f\u043e\u0447\u0438\u0442\u0430\u0442\u044c \u0432 \u0441\u0442\u0430\u0442\u044c\u0435 \u041c\u044d\u0442\u0442\u0430.\n\n\ud83d\udd75\ufe0f\u200d\u2642\ufe0fI think that many have not forgotten about the FORCEDENTRY exploit that made a lot of noise a year ago (CVE-2021-30860, integer overflow in the JBIG2 implementation for xpdf in Apple (JBIG2Stream::readTextRegionSeg(), by programming the JBIG2 weird machine in the parser), which refers to CoreGraphics in fact) via iMessage from NSO Group. That is, a PDF file arrives to you, which is allegedly \".gif\" and due to the fact that IMTranscoderAgent analyzed just such impostors outside the BlastDoor sandbox, the Israelis could achieve SBX. In fact, the operation was much more complicated and you can read more: a  on the channel, here and here.\n\nMoreover, researchers from Google Project Zero were unable to establish an exact trace after IMTranscoderAgent SBX and, as an assumption, put forward several operating scenarios:\n1\ufe0f\u20e3iMessage RCE \u27a1\ufe0f IMTranscoderAgent SBX \u27a1\ufe0f iOS kernel LPE\n2\ufe0f\u20e3iMessage RCE \u27a1\ufe0f IMTranscoderAgent SBX \u27a1\ufe0f some_service \u27a1\ufe0f iOS kernel LPE\n\nThe problem for security guards to this day is that there are still no samples in the public domain (from here we can conclude that it will not be possible to detect using standard methods). In this post by Matt, in addition to analyzing the attack, we are talking about detecting without using regular expressions or checking the process name, eventually a tool for analyzing non-fileless(data-only) attack files was introduced, and not based on samples(ELEGANTBOUNCER). \n\n\ud83d\udd16You can read more in Matt's article.\n\n#NSO #PegasusSpyware #FORCEDENTRY #iOS #iMessage #forensics #security #expoitation #sbx #xpdf #weirdMachine #JBIG2", "creation_timestamp": "2022-12-21T14:45:16.000000Z"}