Dissecting NSO's BLASTPASS: A Zero-Click iOS Exploit
Ian Beer of Google Project Zero details the analysis of NSO Group's BLASTPASS iMessage exploit. This zero-click attack chain leveraged a maliciously crafted WebP image disguised as a PassKit attachment to bypass the iMessage sandbox. Exploiting a Huffman coding vulnerability in the lossless WebP format, the attackers triggered memory corruption. A sophisticated 5.5MB bplist heap groom within a MakerNote EXIF tag facilitated memory overwriting during TIFF image rendering. This triggered a forged CFReadStream's destructor, executing malicious code. The attack cleverly exploited vulnerabilities in ImageIO and Wallet, bypassing BlastDoor sandbox and Pointer Authentication Codes (PAC). HomeKit traffic may have been used for ASLR disclosure. The analysis reveals the complex techniques used, highlighting the need for robust sandbox mechanisms and a reduced remote attack surface.