Kaspersky researchers have laid out the details of the vulnerabilities that lay behind 2023’s Triangulation attack campaign.
In July, Apple rushed out patches for Triangulation-associated vulnerabilities, CVE-2023-32434 and CVE-2023-32435, which Kaspersky had associated with the campaign, but with limited technical detail.
CVE-2023-38606, also patched in July, allowed an app to alter kernel state, and was also part of Triangulation.
In a blog post, Kaspersky explained that “the attack started with an invisible iMessage, which contained a malicious attachment that was processed without the user’s knowledge” and “did not require any actions from the user”.
In an associated presentation at the Chaos Computer Conference (CCC) held in Germany before the new year, Kaspersky researchers Georgy Kucherin, Leonid Bezvershenko and Boris Larin said they were able to analyse Triangulation because several iPhones belonging to Kaspersky staff were compromised.
Zero-click attack
Initial compromised was achieved via one of two vectors, Larin (@oct0xor) said.
On older devices, the attack used an ancient, undocumented TrueType instruction, fnt_Adjust, which Larin said has existed since at least the 1990s (CVE-2023-41990); and a pointer authentication code (PAC) vulnerability affecting newer iPhones.
He said Apple “silently” removed the TrueType instruction from iOS 16.3 and MacOS 13.2 in January 2023; and iOS 15 and MacOS 12 in July 2023, after Kaspersky reported it to the vendor.
The initial compromise was delivered via a malicious iMessage that worked without clicks, and was followed by an exploit for CVE-2023-32434, a kernel privilege escalation.
Triangulation exploited integer overflows in the XNU kernel’s memory mapping syscalls, a technique Larin described as “easy” and “extremely reliable” to exploit.
Secret hardware addresses
While all of the vulnerabilities were zero-day bugs when patched, one attracted particular attention, because it turned out to be an undocumented hardware vulnerability.
Larin described the bug as “insane”, saying it’s a hardware feature in Apple’s A12 to A16 Bionic system-on-chip (SoC).
The feature, he said, allows attackers to “bypass the hardware-based kernel memory protection” in target iPhones, if they write data to “unknown memory-mapped input-output (MIMO) hardware registers” that Apple’s firmware doesn’t use.
Larin said the research team found six undocumented MIMO addresses used by the Triangulation exploit, which “basically, bypass all hardware-based kernel memory protections”.
He said they appear to be ARM/Apple CoreSight debug registers for GPUs, since they’re nearby identified MIMO registers.
In a statement, Larin said that "due to the closed nature of the iOS ecosystem, the discovery process was both challenging and time-consuming.”
Apple’s fix was via a memory mapping block-list in its device tree.
