Skip to content

New iPhone Exploit Uses Four Zero-Days

New iPhone Exploit Uses Four Zero-Days

Kaspersky researchers have uncovered a highly sophisticated attack that exploited four zero-day vulnerabilities in iPhones over a span of four years. The attack, dubbed Operation Triangulation, targeted the devices of employees at Moscow-based security firm Kaspersky. The most significant aspect of this attack is the exploitation of a previously unknown hardware feature, which allowed the attackers to bypass advanced hardware-based memory protections. These protections are designed to safeguard the integrity of the device’s system even after an attacker gains access to the kernel. The attackers were able to bypass this protection by exploiting a vulnerability in the secret function. This protection is also present in Apple’s M1 and M2 CPUs.

The details of this attack are staggering. It involved a zero-click iMessage attack that used four zero-day vulnerabilities and was designed to work on iOS versions up to iOS 16.2. The attack began with the sending of a malicious iMessage attachment, which the application processed without alerting the user. This attachment exploited a remote code execution vulnerability in an undocumented Apple-only TrueType font instruction. It then used return/jump oriented programming and multiple stages written in the NSExpression/NSPredicate query language to execute a privilege escalation exploit written in JavaScript. The JavaScript exploit was obfuscated to make it unreadable and minimize its size. It had around 11,000 lines of code dedicated to JavaScriptCore and kernel memory parsing and manipulation.

The attack also exploited an integer overflow vulnerability in XNU’s memory mapping syscalls to gain read/write access to the entire physical memory of the device at the user level. It used hardware memory-mapped I/O registers to bypass the Page Protection Layer. After exploiting all the vulnerabilities, the JavaScript exploit had complete control over the device and could run spyware. The attackers chose to launch the IMAgent process and inject a payload to clear the exploitation artifacts from the device. They also ran a Safari process in invisible mode and forwarded it to a web page with the next stage. The web page verified the victim and, if successful, received the next stage: the Safari exploit. The Safari exploit executed a shellcode using another kernel exploit in the form of a Mach object file.

Kaspersky’s discovery of this attack confirms that it is the work of a nation-state actor due to its high level of sophistication. The attack demonstrates the lengths to which attackers are willing to go to exploit vulnerabilities in iPhones. It also highlights the importance of robust hardware-based memory protections to safeguard against such attacks. Apple will likely need to address these vulnerabilities and strengthen its security measures in future iOS updates.

Key Points:
– Kaspersky researchers have uncovered a four-year-long attack on iPhones that exploited four zero-day vulnerabilities.
– The attack bypassed advanced hardware-based memory protections by exploiting a vulnerability in a secret hardware feature.
– The attack used a zero-click iMessage exploit and multiple stages written in JavaScript to gain complete control over the device.
– Kaspersky’s discovery confirms that the attack was the work of a nation-state actor.
– This attack underscores the need for robust hardware-based memory protections and ongoing security updates from Apple.

Leave a Reply

Your email address will not be published. Required fields are marked *