Cybersecurity company Kaspersky released a public report in June this year stating that iPhones used by some of the company's employees had been compromised. Attackers used multiple highly sophisticated zero-click vulnerabilities to infect iPhones and achieve continuous monitoring without requiring any interaction from the victim. This incident was named IOSTriangulation by Kaspersky. After the relevant vulnerabilities were reported to Apple, Apple released multiple updates to fix the vulnerabilities in late June.

However, the details of the relevant vulnerabilities were not announced at that time. After all, iPhone upgrades take time. Generally, researchers will delay publishing the details of the vulnerabilities to prevent attackers from seizing the opportunity to exploit the vulnerabilities while some users have not yet upgraded.

It has been half a year since the vulnerability was released. At the latest Chaos Communication Congress, researchers from the Kaspersky team released a detailed report and technical details to share with other security researchers.

The iMessage zero-click vulnerability mined by Israeli commercial spyware developer NSO Group's Pegasus has been called one of the most technically sophisticated, and the triangulation attack appears to be on the same scary level, Kaspersky said.

The following is the complete attack chain announced by Kaspersky, including four 0day vulnerabilities used to gain root access to the victim's device:

1. The attacker sends a malicious iMessage attachment to the target user. When the victim’s iPhone receives the message, iMessage will not give any reminder and automatically process the attachment;

2. This malicious attachment exploits the undocumented remote code execution vulnerability CVE-2023-41990 in Apple’s unique ADJUSTTrueType font directive;

3. The malicious code uses return/jump-oriented programming and multiple stages written in the NSExpression/NSPredicate query language, and then uses the JavaScriptCore library environment to perform privilege escalation;

4. The JavaScript vulnerability exploited by the attacker was obfuscated, which resulted in the code being unreadable. However, researchers found that the attacker used approximately 11,000 lines of code, mainly for JavaScriptCore and memory parsing operations;

5. The attacker uses the JavaScriptCore debugging function DollarVM ($vm) to gain the ability to manipulate JavaScriptCore memory from scripts and execute native APIs;

6. In order to support both old and new iPhones, the attacker also created a bypass function that includes pointer authentication code, which can be used on the latest iPhones;

7. Attackers exploit the integer overflow vulnerability CVE-2023-32434 in the XNU memory mapping system to gain user-level read/write access to the entire physical memory of the device;

8. Attackers use hardware memory-mapped I/O registers to bypass the page protection layer. This problem has been mitigated through CVE-2023-38606;

9. When all vulnerabilities are exploited, the JavaScript vulnerability can do anything against the device, including running spyware, but the attacker chooses to:

a. Start the IMAgent process and inject a payload to clear traces of exploits in the device;

b. Run the Safari process in invisible mode and forward it to the web page used in the next attack stage;

10. The web page has a script to verify the victim. If the detection passes, it goes to the next stage: Safari exploit;

11. Safari exploits CVE-2023-32435 to execute shellcode;

12. The shellcode executes another kernel vulnerability exploit in the form of a Mach target file. It uses the same vulnerabilities: CVE-2023-32434 and CVE-2023-38606. This is completely different from the kernel vulnerability written in JavaScript. However, the target is also used for memory parsing operations, but most of the functions are not used by the attacker in the later stage;

13. The exploit gains root privileges and proceeds to other stages, including loading spyware, etc.

Kaspersky said that the attackers reverse engineered almost every aspect of the attack chain, which shows that the attackers' goals are not general purposes, that is, the main purpose may actually be espionage and political purposes.

The Kaspersky team plans to publish more articles on triangulation attacks in 2024. Users who are interested in this article should read the original Kaspersky report, which includes analysis of each vulnerability: https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/