webcast November, 2023

PenTest Hackfest - BLASPASS CVE-2023-41041

In this session, Christopher Crowley discusses the recent BLASTPASS exploit chain for (CVE-2023-41064 and CVE-2023-41061) attributed to NSO by CitizenLab (CA), targeting the PassKit iOS component intended for the distribution of passes (coupons and tickets). This complex and effective exploit was discovered in the wild and required no user interaction to gain complete control of Apple iOS mobile devices running the 16.6 (latest at the time) iOS version. Because of the nature of the pass distribution for PassKit, it enables external entities to send unsolicited content to people. But, the exploit developers identified a flaw in ImageIO and Wallet which enabled remote code exploitation. The talk addresses some of the context of the ongoing campaigns attributed to NSO by CitizenLab (CA), and delves into the known details of the exploit chain. It also identifies some of the mitigation available via lockdown mode which would have prevented the exploit from working, at the expense of limited user functionality.