NSO Zero-Click Exploit: Turing-Complete CPU in Image File

Researchers have reverse engineered NSO Group’s recent zero-click iPhone exploit—from the Pegasus spyware suite. And it’s a doozy: People are using words like, “terrifying,” “alarming,” “dangerous,” “weird,” “amazing,” “impressive,” “brilliant” and “ridiculous.”

But what would Alan Turing think? Google Project Zero invoked his eponymous theory of “completeness” to describe the more bizarre aspect of this malware, dubbed FORCEDENTRY. It actually implements a Turing-complete virtual machine inside an image file.

It exploits a parser for JBIG2—an obsolete file format. In today’s SB Blogwatch, we wonder what other nasties lurk in unmaintained, legacy open source code.

Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: Al I at o Crsms.

SEAR+GP0 vs. NSO

What’s the craic? Nathaniel Mott reports—“Project Zero Goes Deep on FORCEDENTRY”:

Terrifying
A technical analysis of the FORCEDENTRY exploit, [which] was used by NSO Group to infect target iPhones with its Pegasus spyware via iMessage … says, “We assess this to be one of the most technically sophisticated exploits we’ve ever seen.” … Google’s Project Zero … says that it analyzed FORCEDENTRY after Citizen Lab shared a sample of the exploit with assistance from Apple’s Security Engineering and Architecture (SEAR) group.

NSO Group used an image codec that was made to compress black-and-white PDFs so it could get something “fundamentally computationally equivalent” to the programming language that allows web apps to function onto a target’s iPhone. … Project Zero says, “It’s pretty incredible, and at the same time, pretty terrifying.”

Remind me? Anthony Bouchard reminds us—“Extensive write-up on FORCEDENTRY zero-click”:

Even more alarming
The iOS & iPadOS 14.8 update that Apple launched in mid-September was more than just a feature update. It also [fixed] a considerably dangerous zero-click iMessage exploit dubbed FORCEDENTRY (CVE-2021-30860).

The FORCEDENTRY exploit came bundled in a piece of spyware that is now commonly referred to as Pegasus, and it effectively utilized a bug in CoreGraphics to bypass iOS & iPadOS 14’s BlastDoor iMessage protections. … Even more alarming is the realization that by receiving a maliciously crafted PDF document, a victim could have been left wide open to remote arbitrary code execution.

Horses’ mouths? Ian Beer and Samuel Groß—“A deep dive into an NSO zero-click”:

Weird, emulated environment
The initial entry point for Pegasus on iPhone is iMessage. This means that a victim can be targeted just using their phone number or AppleID.

Just because the source filename has to end in .gif, that doesn’t mean it’s really a GIF. … Using this “fake gif” trick, over 20 image codecs are suddenly part of the iMessage zero-click attack surface, including some very obscure and complex formats [including] the JBIG2 implementation … the source code for which is freely available. … The vulnerability is a classic integer overflow when collating referenced segments. … syms points to an undersized buffer [then] the heap is groomed such that the first few writes off of the end … corrupt the GList backing buffer.

[This] compression format is Turing-complete! … It is possible to apply … logical operators … on memory at arbitrary out-of-bounds offsets. … With just the available AND, OR, XOR and XNOR logical operators you can in fact compute any computable function. … So why not just use that to build your own computer architecture and script that!? That’s exactly what this exploit does.

They define a small computer architecture with features such as registers and a full 64-bit adder and comparator. … The whole thing runs in this weird, emulated environment created out of a single decompression pass through a JBIG2 stream.

Turing complete? ELI5. Jonas Bučinskas explains like I’m five (-ish):

One question
Pretty amazing and terrifying stuff. They built a damn computer within a compromised renderer.

I’m sure most of the script kiddies only have one question in mind: Can that computer run Doom?

Wait. Pause. Say that again? JustAnotherOldGuy sounds impressed:

Impressive
A virtual CPU built from custom-coded boolean pixel operations.

That’s some impressive ****. It’s brilliant, really.

But how is that possible? Hold my beer, says Luke McCarthy:

It’s very easy
File formats are a kind of programming language. They have a grammar, and when you start adding features beyond a literal representation of data it’s very easy to accidentally make it Turing-complete.

With a thought experiment, it’s Joe Rozner—@JRozner:

I have this crazy idea
This is ****ing ridiculous. I wonder what the meeting was like where someone shared the bug and was like, “Now hear me out, I have this crazy idea about how to actually use this.”

How to protect against this? Sounds like a job for a fuzzer, thinks phantomfive:

Mathematically complex
Image parsing code should always be tested very well, because it’s a fruitful source of exploits. The reason is because it’s mathematically complex, and not always obvious when a buffer will be overflowed.

Meanwhile, the last word must go to Citizen Lab’s John Scott-Railton—@JSRailton:

Dangerous
This kind of capability was previously only seen with top tier cyber powers. Should send a chill down your spine.

Underlines just how dangerous NSO & peers are.

And Finally:

Sloths make me happy

[Don’t turn on closed captions if easily offended]

Previously in And Finally


You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites … so you don’t have to. Hate mail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE. 30.

Richi Jennings

Richi Jennings is a foolish independent industry analyst, editor, and content strategist. A former developer and marketer, he’s also written or edited for Computerworld, Microsoft, Cisco, Micro Focus, HashiCorp, Ferris Research, Osterman Research, Orthogonal Thinking, Native Trust, Elgan Media, Petri, Cyren, Agari, Webroot, HP, HPE, NetApp on Forbes and CIO.com. Bizarrely, his ridiculous work has even won awards from the American Society of Business Publication Editors, ABM/Jesse H. Neal, and B2B Magazine.

richi has 596 posts and counting.See all posts by richi