Pegasus internals
This is a modal window.
The media could not be loaded, either because the server or network failed or because the format is not supported.
Formal Metadata
| Title |
| |
| Subtitle |
| |
| Title of Series | ||
| Number of Parts | 147 | |
| Author | ||
| License | CC Attribution 4.0 International: You are free to use, adapt and copy, distribute and transmit the work or content in adapted or unchanged form for any legal purpose as long as the work is attributed to the author in the manner specified by the author or licensor. | |
| Identifiers | 10.5446/43804 (DOI) | |
| Publisher | ||
| Release Date | ||
| Language |
Content Metadata
| Subject Area | ||
| Genre | ||
| Abstract |
| |
| Keywords |
33c3127 / 147
1
3
4
6
7
9
11
13
15
16
17
19
22
23
28
31
32
33
37
39
40
41
43
44
45
46
48
49
51
53
54
55
57
58
62
64
65
66
68
71
72
73
74
77
78
82
84
85
90
93
96
98
100
102
103
104
105
108
110
111
112
113
115
118
119
120
121
122
123
125
126
127
131
133
134
137
139
140
141
143
146
147
00:00
Wechselseitige InformationMaxima and minimaReliefExploit (computer security)ChainSoftware developerInformation securityMaxima and minimaMobile WebMultiplication signMalwareKernel (computing)Computer animationLecture/Conference
00:39
Information securityStaff (military)Digital rights managementSystem programmingSoftwareChainInformation securitySoftwareoutputPrice indexKey (cryptography)Lecture/ConferenceComputer animation
01:29
Installation artOrder (biology)Electronic mailing listUltraviolet photoelectron spectroscopyChainCartesian coordinate systemoutputBootingLecture/Conference
01:55
Electronic mailing listMathematical analysisInformation securityRight angleSampling (statistics)Process (computing)Vulnerability (computing)Computer animationProgram flowchartLecture/Conference
02:19
Sample (statistics)Message passingPrisoner's dilemmaState of matterLeakXMLComputer animation
02:41
Hacker (term)ChainSampling (statistics)MereologyLecture/Conference
03:16
SynchronizationServer (computing)InformationLeakKernel (computing)Level (video gaming)Remote procedure callWeb pageLevel (video gaming)Thermal conductivityExterior algebraSoftware testingChainNumberOrder (biology)Address spaceCodeContext awarenessVulnerability (computing)Semiconductor memoryKernel (computing)SoftwareProxy serverComputer animation
03:54
Level (video gaming)Computer wormUniform resource locatorSingle-precision floating-point formatJava appletScripting languageLevel (video gaming)InformationOffice suiteBitSound effectQuicksortMehrplatzsystemBeat (acoustics)Gastropod shellCoprocessorDifferent (Kate Ryan album)CodeRevision controlProcess (computing)Type theoryLecture/ConferenceComputer animation
04:25
CodeVulnerability (computing)WebsiteCategory of beingVector spaceLoop (music)Data bufferSource codeCodeRemote procedure callVulnerability (computing)Gastropod shellSpeicherbereinigungCategory of beingParameter (computer programming)Object (grammar)Buffer solutionProgrammschleifeSampling (statistics)Group actionIterationDifferent (Kate Ryan album)AlgorithmLecture/ConferenceComputer animation
05:33
Category of beingLoop (music)Source codeData bufferBuffer solutionParameter (computer programming)Object (grammar)SpeicherbereinigungCategory of beingComputer programmingWordSemiconductor memoryBitOcean currentRandomizationNumberGroup actionMixed realityType theoryPressureKey (cryptography)Lecture/ConferenceComputer animation
06:48
Mechanism designParameter (computer programming)Semiconductor memoryBuffer solutionMemory managementChannel capacityCartesian coordinate systemObject (grammar)Line (geometry)Gateway (telecommunications)Physical lawWater vaporCASE <Informatik>Lecture/Conference
07:23
Context awarenessStack (abstract data type)Channel capacityData bufferPointer (computer programming)Memory managementSource codeVector spaceMeta elementCategory of beingChainCellular automatonContext awarenessSpeicherbereinigungPrimitive (album)Object (grammar)System callBuffer solutionType theoryMemory managementSoftware development kitSoftware bugSet (mathematics)Arithmetic meanSemiconductor memoryCategory of beingCorrespondence (mathematics)Projective planeIntegerComputer animation
08:54
Object (grammar)Function (mathematics)SpeicherbereinigungResource allocationObject (grammar)InformationElectronic mailing listLengthSpeicherbereinigungType theoryNumber8 (number)Category of beingBuffer solutionSemiconductor memoryCorrespondence (mathematics)Suite (music)State of matterLecture/ConferenceComputer animation
09:46
SpeicherbereinigungRemote procedure callString (computer science)CodeCycle (graph theory)Semiconductor memoryObject (grammar)Exploit (computer security)Computer wormLecture/Conference
10:18
CodeLevel (video gaming)Computer wormConfiguration spaceKey (cryptography)Link (knot theory)BootingKernel (computing)Gastropod shellNumberRead-only memoryConstructor (object-oriented programming)LeakAddress spaceBound stateBitInformationVulnerability (computing)Constructor (object-oriented programming)LeakObject (grammar)NumberKernel (computing)RandomizationExploit (computer security)Address spaceContext awarenessBootingComputer wormoutputCartesian coordinate systemText editorCategory of beingOrder (biology)Group actionLevel (video gaming)Data compression40 (number)Computer animation
10:59
Maxima and minimaNumberBuffer solutionData bufferSource codeCategory of beingCartesian coordinate systemKernel (computing)outputDifferent (Kate Ryan album)Object (grammar)Type theoryData dictionaryStreaming mediaPoint (geometry)NumberConstructor (object-oriented programming)BitVariable (mathematics)LengthBinary fileCASE <Informatik>Real numberKey (cryptography)Parameter (computer programming)Arithmetic meanBeat (acoustics)Lecture/ConferenceComputer animation
12:07
Data bufferPoint (geometry)Control flowSource codeNumberRead-only memoryStatisticsKernel (computing)Price indexKeyboard shortcutService (economics)NumberLengthObject (grammar)Category of beingClient (computing)Memory managementKernel (computing)Game controllerVisualization (computer graphics)Buffer solutionCASE <Informatik>Semiconductor memoryService (economics)CurvaturePointer (computer programming)Lecture/ConferenceComputer animation
13:12
Kernel (computing)CodeSource codeData bufferKernel (computing)Stack (abstract data type)Point (geometry)Vulnerability (computing)Semiconductor memoryPointer (computer programming)Level (video gaming)Dependent and independent variablesExpert systemObject (grammar)FunktionalanalysisoutputCartesian coordinate systemParsingBinary codeDifferent (Kate Ryan album)CodeType theoryInformationMacro (computer science)Subject indexingLie groupArithmetic meanMereologyLecture/ConferenceComputer animation
14:29
Modal logicSource codeObject (grammar)EmpennagePoint (geometry)Object (grammar)Symbol tableCodePointer (computer programming)Chaos (cosmogony)Lecture/ConferenceComputer animation
15:04
Codierung <Programmierung>Resource allocationTwin primeString (computer science)Price indexData bufferObject (grammar)String (computer science)Data dictionaryCASE <Informatik>Semiconductor memoryContent (media)Kernel (computing)Social classGame controllerSoftware bugBuffer solutionHoaxTable (information)Lecture/ConferenceComputer animation
15:50
Patch (Unix)Kernel (computing)Wechselseitige InformationCodeElectronic signaturePartition (number theory)Semiconductor memoryData bufferState of matterDifferent (Kate Ryan album)Object (grammar)Cellular automatonInformation securityLevel (video gaming)Variable (mathematics)BootingKernel (computing)Web pagePhysical systemCodePartition (number theory)Proxy serverRight anglePhysical lawLecture/ConferenceComputer animation
16:42
Computer wormSoftwareLevel (video gaming)Session Initiation ProtocolModule (mathematics)RootProcess (computing)Physical systemTraffic reportingAnalog-to-digital converterService (economics)CodeGroup actionSystem callLevel (video gaming)Process (computing)SoftwareGame controllerCartesian coordinate systemEndliche ModelltheorieLibrary (computing)Communications protocolDynamical systemInjektivitätData managementPoint (geometry)Key (cryptography)Gastropod shellInterpreter (computing)CodeTunisSynchronizationDialectService (economics)Lecture/ConferenceComputer animation
17:35
Maxima and minimaCodeComputer fileBinary codeInstallation artSoftware bugCartesian coordinate systemGastropod shellHookingSpacetimeGroup actionCore dumpSign (mathematics)Lecture/Conference
18:02
CodeProcess (computing)Context awarenessCodeCombinational logicCasting (performing arts)Set (mathematics)Condition numberGroup actionParameter (computer programming)FunktionalanalysisComplex analysisCartesian coordinate systemContext awarenessComputer animationLecture/Conference
18:31
Source codeParameter (computer programming)Inclined planeRouter (computing)Type theoryObject (grammar)View (database)Casting (performing arts)Pointer (computer programming)Social classReal numberGeneric programmingFunktionalanalysisBuffer solutionCASE <Informatik>Set (mathematics)Right angleVector fieldPoint (geometry)Parameter (computer programming)Source codeDecision theoryVideo gameComputer animation
20:00
Address spaceVector spaceMaxima and minimaInterior (topology)Process (computing)32-bitRead-only memoryPrimitive (album)Semiconductor memoryType theoryView (database)Entire function2 (number)SpacetimeFunction (mathematics)Field (computer science)Vector fieldBuffer solutionCASE <Informatik>Process (computing)32-bitObject (grammar)Pointer (computer programming)Multiplication signRight angleBitPoint (geometry)Lecture/ConferenceComputer animation
20:53
Maxima and minimaAddress spaceLeakFunktionalanalysisPrimitive (album)Process (computing)Interior (topology)Address spaceEntire functionCASE <Informatik>Semiconductor memoryObject (grammar)FunktionalanalysisConstructor (object-oriented programming)Forcing (mathematics)Gastropod shellCodeBroadcasting (networking)LeakLecture/ConferenceComputer animation
21:45
Fuzzy logicMechanism designPhysical systemBootingCasting (performing arts)BootingMechanism designKernel (computing)Physical systemParameter (computer programming)Arithmetic meanService (economics)System callGroup actionLecture/ConferenceComputer animation
22:24
Mathematical analysisGoogolLink (knot theory)Advanced Encryption StandardString (computer science)CodeScripting languageJava appletSpywareComponent-based software engineeringService (economics)Physical systemMechanism designMobile WebCache (computing)Session Initiation ProtocolTelecommunicationBloch waveVideoconferencingChainRouter (computing)PasswordPlastikkarteComputer networkCellular automatonInformationAerodynamicsProcess (computing)Kernel (computing)BootingSystem callTwitterGroup actionMultiplication signComputer wormReverse engineeringWebsiteRouter (computing)AdditionMechanism designDynamical systemProcess (computing)FunktionalanalysisOnline helpConnectivity (graph theory)Electronic mailing listSign (mathematics)Block (periodic table)ChainCartesian coordinate systemLibrary (computing)Physical systemPatch (Unix)Structural loadIntercept theoremUniform resource locatorLevel (video gaming)Key (cryptography)Source codeBit rateRow (database)Lecture/ConferenceComputer animation
24:09
Software frameworkLevel (video gaming)Software frameworkFunktionalanalysisCartesian coordinate systemGame controllerComputer animationLecture/Conference
24:35
Mathematical analysisChainSimilarity (geometry)Hardy spaceDivergenceInformation securityINTEGRALLink (knot theory)Vulnerability (computing)Traffic reportingDependent and independent variablesDifferent (Kate Ryan album)Electronic mailing list1 (number)Information securityDivergenceProbability density functionChainSimilarity (geometry)Bit rateInteractive televisionDemosceneSet (mathematics)CausalityOnline helpProcess (computing)Computer animation
25:37
Maxima and minima10 (number)Exploit (computer security)InternetworkingPhysical systemPrice indexKernel (computing)Partition (number theory)Computer filePatch (Unix)Mobile appRight angleProcess (computing)Lecture/Conference
26:35
Annihilator (ring theory)Price indexChainWeb browserCartesian coordinate systemMobile WebPhysical systemReal numberMechatronicsUniform resource locatorLecture/Conference
27:14
Maxima and minima10 (number)Physical systemCartesian coordinate systemInternetworkingPosition operatorSpywareAuthorizationLecture/Conference
28:18
InformationNumberSoftwareGroup actionTraffic reportingArmCASE <Informatik>Focus (optics)CybersexLecture/Conference
29:01
Wechselseitige InformationHill differential equationMedianCartesian closed categoryHypermediaLecture/ConferenceComputer animation
Transcript: English(auto-generated)
00:14
Max is a security researcher at Lookout. He's been doing this about 10 years. He spent a lot of time in obfuscation,
00:21
exploit development, security research, previous Black Hat speaker, currently focused on mobile security research and working on his PhD. He'll be telling you about some of the internals of Pegasus malware today. With that, I will turn it over to Max to take it away. Thank you.
00:47
Hi, everyone. My name is Max Bazzelli, and today we'll talk about the Pegasus internals. I'm from Kiev, Ukraine. I currently work as a security researcher at Lookout, and the last few years focused on jailbreak techniques,
01:02
so that's why I co-founded the Friday Apple team, where we're working on various iOS jailbreak, including 8 and 9. So, Pegasus. Pegasus is a high-quality espionage software that can be used for complete surveillance of a device. It adjusts everything from stealing your personal data
01:21
up to remotely activating a microphone or camera on a device without any indication it's really happening. So, in order Pegasus to work, it need to jailbreak a device first, because the iOS sandbox prevents application from spying on each other. So, that's why Pegasus rely on a tried and exploit chain
01:42
to completely open a device and install persistence that can be used on each device reboot. Here's a really terrifying list of target apps, including even the known as most secure ones, like Telegram, WhatsApp, Viber,
02:02
and I'm pretty sure you can find your favorite messenger in this list. Before going to a deep technical analysis of the vulnerabilities used, I want to tell a story how we get a Pegasus sample. So, please met Ahmed Mansour, who's mostly known for his job as a human rights defender.
02:22
He's even a recipient of Martin Annals Award, sometimes called the Nobel Prize for Human Rights. So, on August 10th this year, Ahmed received a message with a text that someone in a state prison got... Someone in a state prison.
02:42
So, and he received another text with a similar thing the next day. But previously he was targeted by a hacking team in 2012 and gave my spin feature in 2011. So, now instead of clicking on a link, he contacted the citizen lab, because he was working with those guys before.
03:02
So, he sent a link for a citizen lab to analysis, and we are in, as a lookout research team, we get initial sample and a link from a citizen lab. So, in this story, I mostly will focus it about technical part of it. So, in order to work, Pegasus rely on a
03:23
tried and exploit chain and it uses three stages. So, on the first stage, it use a memory corruption to achieve a remote code execution in the Sepharic context. After that, it jumps, after it is on a device, it jumps to second stage and use two vulnerabilities to exploit the kernel. One is used for bypass the kernel address space
03:42
layout optimization, and another to achieve kernel level code execution. And finally, on the third stage, it installs HP on our software and use a special trick to achieve on-device persistence. So, I will focus on each stage more detailed.
04:03
The first stage, as I say, is a single-use per fish URL that will be invalidated after a first click. It contains obfuscated JavaScript, the first thing it's doing it checking for a device type, is it iPhone, is it iPad, is it 32 or 64 bit, and based on information about device processor type,
04:22
the different versions of shell code will be downloaded, which is in a stage two. And finally, it exploits remote code execution, vulnerability in a webkit to execute a shell code. So, what vulnerability, what to use it? CVE-4657, remote code execution in a webkit.
04:41
Basically, the vulnerability is user-free that achieve it by using two bugs, and in a sample that we got, it's not stable because it relies on a webkit garbage collector. The problem itself lives in a market argument buffer that can be exploited by usage of the defined properties.
05:01
So, defined property is a method that defines new or modified properties directly on object. It takes a few arguments, the object itself, and the properties objects, which can have descriptors that constitute the properties to be defined or modified.
05:21
It have a pretty simple algorithm, contain few loops on the very first iteration, each property descriptor checking for a formatting, and after that, get appended to a descriptors vector. And to make sure that the reference to property descriptors not become stale, they need to be protected from being garbage collected.
05:40
For this purpose, market argument buffer is used. We see the very, very end, mark buffer append. So, market argument buffer prevents object from being delicate. And after each property get has been validated, and it's okay, the define of property as I said, each of the user supplied property
06:02
with the target object. And here is a problem here, because it's possible when the defined property will be called, it's possible to call any user-defined JavaScript methods. If in the JavaScript methods, garbage collection can be triggered, it will delegate any unmarked heap-backed object.
06:23
I will go a little bit deeply in the details. First of all, a few words about market argument buffer and JavaScript Garbage Collector. So, JavaScript Garbage Collector is responsible for delegating an object from a memory when they are no longer referenced. It runs at random intervals and based on a current memory pressure,
06:41
current device types, and so on. And when Garbage Collector checking if object should be delegated, it walks through the stack and check for reference to an object. Reference to an object also may exist on application heap, but in this case, alternate mechanism is used, called the slow append.
07:00
So, market argument buffer has initial inline stack contain the eight values. That means when the ninth value will be added to market argument buffer, the capacity will be expanded. It will be moved from a stack memory to a heap memory. This is what the slow append is doing.
07:24
Slow append move stack from a, move buffer from a stack to a heap. And now, object not automatically protected from a garbage collection. And to make sure they will not delegate it, they need to be added to heap's marketplace set.
07:43
This is what we see here. So, slow append trying to acquire heap context and it can be acquired adding an object, like marking an object by adding to a marketplace set. And here's the problem. Because when the heap context can be activated
08:00
it can be acquired for a complex object, only for a complex object. So, this mean for primitive types like integer, booleans, and so on, they are not heap by kit object and they will be not marked as a marketplace set. And there is a bug in the slow append. We should call it just once. So, this mean when the buffer will be moved
08:22
from a stack memory to a heap memory and one of the properties will be a simple type like an integer. It will be not automatically protected by a garbage collection and all the next corresponding values will be not protected as well because they're back to a slow append. Here we see a picture that's illustrating it
08:42
and in reality the reference to JavaScript objects still exist, but if in a call to define a property method any of the user supplied matters will be called, they can remove this reference and object will be deallocated. So, to summarize all the information,
09:02
here is how it can be explored. So, we specify an props object which contain 12 descriptors and first nine of them while is a simple type like zeros, eights. Which mean when the p8, which is the ninth value, will be added to mark list set,
09:21
it will trigger the slow append and buffer will be moved from a stack to a heap. And the next corresponding values, which is like length and which not number and array will be not marked by mark list set and not automatically protected by a garbage collection.
09:40
What happened next? When defined properties will be called on a length property and you'll try to convert not number to a number which for that users define it to string method will be called. The string method remove last reference for an array and for the garbage collection cycle by allocating large amount of memory
10:02
which leads that object will be deallocated by a garbage collector. The very next thing it is doing is reallocate the new object over a stale one. So, this is how specially crafted use of the free was used in Safari to achieve remote code execution and to execute a shellcode. The shellcode exists in a second stage which is a payload which contain the shellcode
10:23
compressed data. The most interesting for us is the shellcode because it's used for a kernel exploitation in Safari context. And to compress the data basically is a loader that downloads and decrypts the next stage. One of the vulnerabilities used is a CV4655
10:41
which is an info leak that's used to bypass a kernel address layout randomization. It exploits the information that constructor and iOS centralized binary method they miss bound checking. So, this means that attacker can create OS number object with really high number of bits and call it within the application sandbox
11:02
where IO register entered the property bytes. Here is how it looked like. So, iOS centralized binary is a method to handle binary data in a kernel. It converts a binary format to basic kernel data object. It supports different container types, sets, dictionaries, array, object types, strings, numbers
11:24
and the point of interest is OS number. So, as we see here, it passed two arguments, value and length. And there is no real check for length property. So, this means we can control the length that is passed to an object.
11:41
And why it is a problem? Because here is a constructor for OS number in it and as we see the length property passed here it's new number of bits and it's override the size variable. And the problem that size is used in other methods in a case that OS number number of bytes which leads it return value of number of bytes
12:03
is now fully controlled by attacker, which is real bad. Because it's used next in IO register and to get property bytes which handle OS numbers and it's used number of bytes to calculate the object length, OS number length. But unfortunately, it's used stack basic buffer
12:23
to parse and save OS number value. And what happened next? It is copying memory from kernel stack to heap using the attacker control at length. Which means we can specify how many bytes will be copied from a kernel stack
12:41
and return to user length. This is what happens. The first thing we're doing, we create a properties array that have a dictionary which have a OS number with a high length, in our case it's 256. Next we need to spawn a user client
13:01
by calling IO service open extended which will visualize OS number object and create this object in a kernel. And now we need to read it by calling IO register enter get property. Which leads it, we copied the 256 bytes of the kernel stack memory
13:21
and the kernel stack memory will contain kernel pointers and from kernel points we can determine the kernel base. So now we get a kernel base and we can jump to the next vulnerability which is CB 456. It's user free to achieve kernel level code execution. It exploits information because the seated index macro
13:43
does not really retain an object and we can trigger it within the application sandbox from IO's answer lies binary. Again IO's answer lies binary, it's a function that parse and this relies object in a kernel. It support different data type,
14:02
different container types and the interesting thing, it supports key IO's realize object. It means that we can create a reference to another object. It will be really useful in the future because in a way of this relies on the parsing objects, IO's answer lies binary saved object pointer
14:22
to a special objects array and using set a thing for it. And as we see set a thing that just save object pointer to array with some index, not retaining it. That's bad because the next code which casting ostring to is symbol,
14:40
it is releasing the object pointer. What does it mean? We still have an array that holds all the object pointers which is objects array and we just released one of the object but still hold the pointer. If we can create a reference to an object, we can exploit user to free. This is what happens
15:00
because key IO's realize object allow us to create a reference and we will just call retain on already deserialized, already delegated object. This is how exploit look like. So first of all we create always dictionary and that will contain a string that due to bug will be delegated. So now we need to relocate it with our controlled object
15:22
to fit in the same memory slot. As ostring in our case, ostring class in a memory will be 32 bytes, we need to allocate the same size. For this purpose, OS data is a perfect candidate because we can control OS data buffer,
15:41
buffer size and buffer content. So what we can do, we can create a fake ostring with a fake vtable and this fake vtable will point to some gadgets in the kernel. The very last thing we need to do is trigger user to free by adding key IO serialized object. So once again, ostring got deserialized,
16:01
delegated to allocate new object which is OS data buffer which will point to the same memory spot when that user to free. So after getting user to free, I guess just use some kernel pages to disable security checks like page set UID to easily escalate the privileges,
16:24
bypass MFI checks by patching out MFI get out of my way, disable code assignment enforcement by patching CS informant disable variable and finally remount system partition to be readable writable so it can execute a loader for the next stage
16:41
to download and decrypt the next stage. The next stage contain the real SP on our software that will be used to sniff all the SMS, all the calls, all the personal data. It have three groups.
17:01
One is the process group which have a main process sniffing services, the model that uses C protocol to communicate with command control like a process manager and so on. The next interesting thing is a group of the dial-ups
17:21
because Pegasus rely on Cidr Substrate, the jailbreak framework, rename it as libdata and use Cidr Substrate to inject dynamic libraries into application process. So in our case, we have a dynamic libraries for Viber, for WhatsApp, EMAIM which will be injected to application space and install application hooks. And the last thing is com.apple.itnstore.d file
17:44
which is the JavaScript that contain code and shell code that will execute, that can execute unsigned code. I will focus on it next. So the bug exists in a GC binary.
18:01
GC binary is like a helper for JavaScript core, JavaScript engine in Apple. And it can lead to unsigned code execution. In combination with RT-by-DG trick, it can be used to completely gain a persistent on-device. It exploit that it is a bad cast in set early value method
18:20
and fortunately it can be triggered only from GST application context. So what is the problem? It's exploit a problem in JavaScript binding, setting to get a delegate which have in C++ function set if you get a delegate. This function takes a few arguments,
18:40
one is a impure getter and the second one is a generic JS object that will be set as this impure getter delegate. The problem will be, next slide, so we just parse two arguments and call a set delegate. The set delegate called sets which finally call set early value.
19:01
Here is a problem because there is no real check that the object type passed to set impure getter delegate is really impure getter. So this means that if any other object type will be passed, it will be improperly downcasted as impure getter pointer. That's what happened here.
19:20
So it's a bad cast that have no real check for object type and which lead that we can override one of the object fields. Here is the same function but now decompile it in IDA Pro. So in our case impure getter is a base variable here and the delegate is this generic JS object.
19:42
We see that the pointer which is base plus 16 can be overwritten with a pointer to a delegate which lead if you see on the right JS array buffer view class, if you pass JS array buffer view class as a first argument, the M vector field will be overwritten with a pointer to a delegate which is really bad
20:02
because it can lead to readable writable primitives. To explain that, I guess I'll use two data views. I will call them data view one and data view two. And call a set impure getter delegate on both
20:20
which leads that M vector field in the first data view will be overwritten with a pointer to the second data view. And now by setting and reading the values on the first data view, we can override object fields in a second. While we need it, we can map the second data view as entire process memory
20:41
by overwriting second data view array buffer offset to be zero, by overwriting second data view lens to be four gigabytes in a case of 32-bit process and set type as fast array type. So basically second data view now it's mapped into entire process space and we can set int to get arbitrary read
21:01
and write anywhere in a process memory. The same thing can be used even to get execution primitive. But in this case, we can call set impure getter delegate twice and instead of exposing the entire process memory, we can leak just an object address.
21:20
If you can leak an object address, we can create just function that have like hundreds of empty tri-cage constructions and force G to compile it. And in this process, a special readable writeable executable memory segment will be allocated. We can leak address of this GIT segment,
21:42
overwrite it with a shellcode and execute. So this is how the bad cast can be used to like re-exploit even a kernel on each boot. It's used with a persistent mechanism which is RT-by-DD. So the problem is that system spawning RT-by-DD
22:02
service with a special early boot argument. This mean if we take any other binary signed by Apple and name it as RT-by-DD, it will be spawned on a boot. That's what Pegasus is doing. So they take GC binary which is signed by Apple, name it as RT-by-DD, then take JavaScript that contain exploit,
22:23
make it a symlink, call it early boot, which leads when the RT-by-DD will be spawned with early boot, it will call JSC with JS exploit instead. So with this trick and the bad cast, it's re-exploit kernel on each device boot.
22:41
There are some tricks that Pegasus uses to make it harder to reverse engineer, like use one-time links. So after you click on any of the links, they will be invalidated and now redirected to Google or other sites. It re-encrypts all the payloads each time they are downloaded just on the fly.
23:01
And, of course, it's trying to hide itself to make it look like a system component. Of course, it's blocks are your system updates to make sure you cannot patch your device just on the fly, to clear all the evidence, clear Safari history and caches,
23:22
and we even found a self-destruct mechanism that can be triggered remotely or on a timeout. So in addition to this terrifying list of supported applications, it records any microphone usage, any camera usage, GPS location, keychain passwords,
23:41
even including the Wi-Fi and the router one. Why they need router? I don't know. Application hooking, so how it operates, as I mentioned earlier, it's use site-just substrate, and with the help of site-just substrate, it preloads dynamic libraries into application. Process and intercept some critical functions.
24:04
It uses sign jack to run into already running processes. So this is like a high-level picture how it looks like. So all the application level critical functions and the framework level critical functions are intercepted by Pegasus.
24:21
So now Pegasus can control them, can collect them, can pack them, can send to command control, and so on. To summarize, Pegasus is a remote jailbreak spotted in the wild. It's pretty scary because it doesn't require any user interaction, and the last similar thing
24:42
was like five years ago when the comics released his jailbreak mystery. This year, Luca Tadesca used one of the Trident vulnerabilities for his jailbreak. I want to say a special thanks to Citizen Lab for helping us with achieving Pegasus Temple.
25:01
All the lookout, resource and response team, the divergent security guys, and all the individual researchers who was involved in the research. There's a list of some useful links which contain a 44-page PDF report with really, really deep details on vulnerabilities disused even with a difference between 32 and 64-bit ones.
25:24
So if you're interested, please take a look. I think this is it. Do you guys have any questions?
25:45
Okay, please keep it brief. We only have some minutes left for the questions, and if there are any questions, please go to the microphones in the hall. And we start with the Signal Angel from the Internet. Thank you. Is there any way to build your app
26:01
protected from this exploit? Yes, because the Pegasus used some of the known jailbreak techniques. It is possible to detect, for example, that system partition is remounted as readable writable. It could be one of the indicators
26:20
that some generic jailbreak is run on a device. Or check for a special file that Pegasus used, but better check it in general for jailbreak patches, the kernel patches. Please try to stay a bit quiet. We are still in the middle of the Q&A. If you don't have to leave now, please stay seated until afterwards.
26:42
And if you have to leave now, please do not talk. Microphone three, please. Hey, what's the user experience during this? User experience? You mean when you get a device infected by Pegasus? Well, there is no real indicators on a device
27:02
that you get something. You click on a link, your mobile web browser opens, and just closes and crashes. This is it. There is no new applications spotted on your visible applications and so on. But in a real, it's running three new system services,
27:24
but they're not visible to a user. Thank you. And please, another question from the internet. Thank you. Have you any idea how active this exploit is in the wild? Say it again, please. Have you any idea how active this exploit
27:40
is in the wild? I'm sure it was a very targeted attack because this exploit is pretty expensive. For example, the audio non-pace is one half million for remote jailbreak like this. So I don't think the authors of this spyware
28:02
want to deal malware accessible for everyone, so I think it's very, very targeted attacks. It's hard to predict how many devices was infected by Pegasus. Now we know about the monster one. So again, I think it's very, very dangerous
28:20
because it's very expensive. Thank you for this answer. Microphone number five, please. Hi, do you have any more information on the NSO or the group that's behind it? Are they using any other software and how spread is this in the wild again? Yeah, so in this case we focus it mostly
28:41
on a technical details of the Pegasus itself, but Citizen Lab made their investigation on NSO and the NSO is like cyber arms dealer, so please take a look in Citizen Lab report on that, so they have much more information.
29:02
Do we have a question from the internet? Am I overlooking anyone? No, then this is it. Thank you for your talk.