Analysing a Pegasus 0-click Exploit for iOS YT

Description

Are you a security researcher or reverse engineer?

For 50% off IDA Products use promo code BILLY50, https://hex-rays.com/pricing *
For 30% off IDA Training use promo code BILLY30, https://hex-rays.com/training **

*License discounts are only valid for individuals, not corporations. Cannot be combined with any other promo code or discount.
** Cannot be combined with any other promo code or discount.

/////////////////////////////////////

Hey guys, today we're looking into the exploitation of an iOS 16.6 vulnerability. This bug was exploited in-the-wild as part of a Pegasus chain and has publicly referred to as 'blastpass'.

The bug is CVE-2023-41064 (also known as CVE-2023-4863 in the libwebp project) - an issue when decoding webp files, leading to a limited out-of-bounds write primitive.

In this video we'll focus only on the exploitation techniques, not the bug itself as this has been documented extensively online already.

We'll look at how the attackers cleverly target heap metadata in the target process to upgrade the basic primitive into a much more powerful use-after-free on a CFSet backing buffer. Then we'll see how they partially corrupt one of the object pointers within the set to make it point to fully controlled data, where they prepare a fake CFReadStream object to ultimately get code execution.

Thanks for watching,
~ Billy

References:
Original writeup from Ian Beer - https://projectzero.google/2025/03/blasting-past-webp.html
https://www.darknavy.org/blog/exploiting_the_libwebp_vulnerability_part_1/
https://support.apple.com/en-us/106361