Security News > 2024 > January > New iPhone Exploit Uses Four Zero-Days

New iPhone Exploit Uses Four Zero-Days
2024-01-04 12:11

Kaspersky researchers are detailing "An attack that over four years backdoored dozens if not thousands of iPhones, many of which belonged to employees of Moscow-based security firm Kaspersky." It's a zero-click exploit that makes use of four iPhone zero-days.

It uses return/jump oriented programming and multiple stages written in the NSExpression/NSPredicate query language, patching the JavaScriptCore library environment to execute a privilege escalation exploit written in JavaScript.

After exploiting all the vulnerabilities, the JavaScript exploit can do whatever it wants to the device including running spyware, but the attackers chose to: launch the IMAgent process and inject a payload that clears the exploitation artefacts from the device; run a Safari process in invisible mode and forward it to a web page with the next stage.

The Safari exploit uses CVE-2023-32435 to execute a shellcode.

The shellcode executes another kernel exploit in the form of a Mach object file.

The exploit obtains root privileges and proceeds to execute other stages, which load spyware.


News URL

https://www.schneier.com/blog/archives/2024/01/new-iphone-exploit-uses-four-zero-days.html

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2023-06-23 CVE-2023-32435 Out-of-bounds Write vulnerability in Apple products
A memory corruption issue was addressed with improved state management.
network
low complexity
apple CWE-787
8.8