Saturday, January 25, 2025
HomeAppleOperation Triangulation: 0-click Attack Chained With 4 Zero-Days to Hack iPhones

Operation Triangulation: 0-click Attack Chained With 4 Zero-Days to Hack iPhones

Published on

SIEM as a Service

Follow Us on Google News

Hackers exploit Zero-Days because these vulnerabilities are unknown to software developers, making them valuable for launching attacks before developing patches. 

Zero-day exploits provide an opportunity to:-

  • Compromise systems
  • Gain unauthorized access
  • Cause significant damage
  • Steal sensitive information

Cybersecurity researchers at Securelist recently discovered a malicious operation dubbed “Triangulation,” in which threat actors exploit the 0-click iMessage attack using four zero-days to hack iPhones.

Zero-days discovered

Here below, we have mentioned all the four zero-days that were discovered:-

Attack chain

Attackers send a harmful iMessage attachment that exploits a code execution vulnerability (CVE-2023-41990) in Apple’s ADJUST TrueType font.

It employs return/jump-oriented programming and multiple stages in NSExpression/NSPredicate language. It patches JavaScriptCore to run a privilege escalation exploit in obfuscated JavaScript, totaling around 11,000 lines.

The exploit leverages DollarVM to control JavaScriptCore’s memory and execute native API functions.

It was designed for both old and new iPhones, and for the recent models, it bypasses the PAC.

Meanwhile, the CVE-2023-32434 is exploited to gain read/write access via XNU’s syscalls. However, to bypass the Page Protection Layer, it uses the MMIO registers, which CVE-2023-38606 mitigated.

Attack chain
Attack chain (Source – Securelist)

Technical analysis

SoC peripheral devices have MMIO registers mapped via DeviceTree. Operation Triangulation exploit targets unknown MMIOs in Apple A12–A16 Bionic SoCs at:-

  • 0x206040000
  • 0x206140000
  • 0x206150000

Despite extensive searches, no references were found in device tree files, source code, firmware, or kernel images. SoC has MMIO ranges at:-

  • 0x206400000–0x20646C000
  • 0x206050000–0x206050008

Exploit uses the following unknown addresses mainly within gfx-asc regions, hinting at GPU coprocessor:-

  • 0x206040000
  • 0x206140008
  • 0x206140108
  • 0x206150020
  • 0x206150040
  • 0x206150048
Correlation of the gfx-asc MMIO ranges
Correlation of the gfx-asc MMIO ranges (Source – Securelist)

Here, the device tree and pmgr utility was used to find the GFX register in the power manager MMIO range. Through the SERROR Exception, the GPU coprocessor involvement was confirmed. 

The 0x206040000 register was explored during the exploit stages, and it’s been identified CoreSight MMIO debug registers for the GPU coprocessor.

The ml_dbgwrap_halt_cpu function was discovered in the XNU source code and recognized the purpose of unknown registers, like 0x206150020 for A15/A16 Bionic SoCs. 

For page table patching, the PPL bypass hardware feature was revealed and exploited for kernel debugging on iPhones.

Moreover, the m1n1 tool used to trace MMIO registers on M1 found no usage by macOS and shared similarity with 37C3 presentation on Blu-ray drive vulnerability. 

The iOS 16.6 fix was mitigated by adding MMIO ranges to the device tree and the Pmap-io-ranges in the device tree used by XNU to control physical address mapping.

Unusual vulnerability puzzles the researchers, as the origin and purpose of unknown hardware features confuse the experts; however, it’s unclear if Apple or a third party designed it. 

This flaw exposes the uselessness of the advanced hardware protections against smart attackers. Besides this, hardware security leans on “security through obscurity,” which is a flawed approach.

Tushar Subhra
Tushar Subhra
Tushar is a Cyber security content editor with a passion for creating captivating and informative content. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news.

Latest articles

Subaru’s STARLINK Connected Car’s Vulnerability Let Attackers Gain Restricted Access

In a groundbreaking discovery on November 20, 2024, cybersecurity researchers Shubham Shah and a...

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

Juniper Routers Exploited via Magic Packet Vulnerability to Deploy Custom Backdoor

A sophisticated cyber campaign dubbed "J-magic" has been discovered targeting enterprise-grade Juniper routers with...

API Security Webinar

Free Webinar - DevSecOps Hacks

By embedding security into your CI/CD workflows, you can shift left, streamline your DevSecOps processes, and release secure applications faster—all while saving time and resources.

In this webinar, join Phani Deepak Akella ( VP of Marketing ) and Karthik Krishnamoorthy (CTO), Indusface as they explores best practices for integrating application security into your CI/CD workflows using tools like Jenkins and Jira.

Discussion points

Automate security scans as part of the CI/CD pipeline.
Get real-time, actionable insights into vulnerabilities.
Prioritize and track fixes directly in Jira, enhancing collaboration.
Reduce risks and costs by addressing vulnerabilities pre-production.

More like this

Android Kiosk Tablets Vulnerability Let Attackers Control AC & Lights

A security flaw found in Android-based kiosk tablets at luxury hotels has exposed a...

CISA Releases Six ICS Advisories Details Security Issues

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued six Industrial Control Systems (ICS)...

PayPal Fined $2 Million Fine For Violating Cybersecurity Regulations

The New York State Department of Financial Services (NYDFS) has imposed a $2 million...