Target has an iPhone running iOS 13 or below.
Hacker knows the target's AppleID username or phone number.
Hacker sends an iMessage with a GIF called, for example, foo.gif. foo.gif is not a GIF file, it is a PDF file with JBIG2 data.
Note that the target did not need to click on a link. This is a zero-click exploit.
Also note that JBIG2 was used in the 1990's to compress PDF files. Compressed PDF files contain JBIG2 data.
The iMessage code, in stead of a copying the foo.gif file, parses the file and then creates a new file. One of the parsers is a PDF parser that has a buffer overflow vunerability (I won't explain buffer overflows).
JBIG2 compresses a scanned document file to PDF using NAND logic. The hacker has written thousands of JBIG2 commands to build a logic circuit (computer) that runs code (also in the JBIG2 data) to download and run the spyware. All this is in the foo.gif file.
This code is run in the buffer overfow made available by the bug in the PDF parser implementation used by the iMessage code.
In effect the hacker has created a NEW COMPUTER within the PDF file to run a bootstrap (code that downloads and installs the spyware).
The spyware has access to photos, iMessages, microphone etc. It connects back to the "mother server" with the data.
Source:
en.wikipedia.org
Hacker knows the target's AppleID username or phone number.
Hacker sends an iMessage with a GIF called, for example, foo.gif. foo.gif is not a GIF file, it is a PDF file with JBIG2 data.
Note that the target did not need to click on a link. This is a zero-click exploit.
Also note that JBIG2 was used in the 1990's to compress PDF files. Compressed PDF files contain JBIG2 data.
The iMessage code, in stead of a copying the foo.gif file, parses the file and then creates a new file. One of the parsers is a PDF parser that has a buffer overflow vunerability (I won't explain buffer overflows).
JBIG2 compresses a scanned document file to PDF using NAND logic. The hacker has written thousands of JBIG2 commands to build a logic circuit (computer) that runs code (also in the JBIG2 data) to download and run the spyware. All this is in the foo.gif file.
This code is run in the buffer overfow made available by the bug in the PDF parser implementation used by the iMessage code.
In effect the hacker has created a NEW COMPUTER within the PDF file to run a bootstrap (code that downloads and installs the spyware).
The spyware has access to photos, iMessages, microphone etc. It connects back to the "mother server" with the data.
Source:
FORCEDENTRY - Wikipedia
Last edited:
