An analysis of the NSO BLASTPASS iMessage exploit, highlighting how it compromises iPhones via zero-click exploits. The exploit uses malicious images in PassKit attachments to target a vulnerability in the lossless WebP format. The post dives into the details of how the exploit bypasses security measures like BlastDoor, discussing the involved CVEs, and explaining the vulnerability's root cause and exploitation methods.
Table of contents
Setting the sceneWebPDéjà vu?TransformationWhat's in a pass?BlastdoorWhat's in a WebP?unbplistingSwitching ViewsInstrumentationThinking dynamicallylibmallocThe groomPuzzling piecesCores and FoundationsX steps forwards, Y steps backSpecial DeliveryCaveat I: Mysterious PointersStepping backCaveat II: ASLRCaveat III: Pointer AuthenticationCallback-Oriented ProgrammingSimilaritiesKey materialConclusionSort: