Add content from: Research Update Enhanced src/mobile-pentesting/ios-pentestin...

Author: HackTricks News Bot

src/mobile-pentesting/ios-pentesting/zero-click-messaging-image-parser-chains.md

@@ -58,7 +58,21 @@ Once the attacker controls what WhatsApp loads, the next goal is to make iOS/mac
 
 ### Crafting memory-corrupting DNGs (CVE-2025-43300 style)
 
-The reproduced bug relied on inconsistent metadata that desynchronized buffer allocation from actual pixel reads. Typical levers include:
+The 2025 in-the-wild bug was more specific than a generic malformed TIFF: the DNG carried **JPEG-Lossless** image data whose internal `SOF3` component count disagreed with the TIFF/DNG metadata (`SamplesPerPixel`). In practice, RawCamera could size some buffers from the outer TIFF fields and later trust the embedded JPEG-Lossless stream while decoding, yielding the out-of-bounds write fixed in **iOS 18.6.2 / iPadOS 18.6.2 on August 20, 2025**.
+
+That gives auditors a much tighter triage rule than "mutate random tags":
+
+```bash
+exiftool -s -SamplesPerPixel -BitsPerSample -Compression poc.dng
+python3 - <<'PY'
+from pathlib import Path
+data = Path('poc.dng').read_bytes()
+sof3 = data.index(b'\xff\xc3')
+print('SOF3 components =', data[sof3 + 9])
+PY
+```
+
+If `SamplesPerPixel` and the `SOF3` component count diverge, you are very close to the exact primitive discussed publicly for CVE-2025-43300. Typical adjacent levers still worth fuzzing once you have the parsing path are:
 
 - **Tile/strip descriptors**: Set `TileByteCounts`/`StripByteCounts` to realistic values but increase `TileOffsets` to point beyond the allocated buffer.
 - **Sub-IFD chains**: Embed secondary images with conflicting `ImageWidth`/`ImageLength` and `BitsPerSample` so RawCamera computes a small buffer while later stages trust attacker-controlled dimensions.
@@ -88,6 +102,15 @@ Each crash in `RawCamera` gives you a new primitive. The published PoC achieved
 
 Because every step is automatic, the attacker only needs the victim’s phone number. No notifications, banners, or prompts are shown on the target device.
 
+## Recent Apple parser-chain patterns worth reusing
+
+This WhatsApp → DNG → RawCamera chain fits the same design pattern seen in recent Apple zero-click campaigns: find an **alternate attachment wrapper** that reaches a less constrained parser, then weaponize a file format that the OS eagerly previews.
+
+- **BLASTPASS (September 7, 2023 / iOS 16.6.1)**: Citizen Lab reported malicious **PassKit** attachments containing images, and Apple patched `Wallet` (`CVE-2023-41061`) plus `ImageIO` (`CVE-2023-41064`). Project Zero's later analysis showed why this matters operationally: the attacker did not just need a parser bug, but also a container that moved image parsing outside the normal BlastDoor path into a different process. When auditing messaging apps, enumerate every attachment type that triggers background previews in helper daemons (`.pkpass`, contact cards, sticker bundles, inline HTML, QuickLook previews), not just obvious image attachments.
+- **TRIANGULATION (patched in iOS 15.7.8 on July 24, 2023, with the mainline fix already in iOS 16.3)**: Kaspersky showed that a malicious iMessage attachment hit the undocumented Apple-only `ADJUST` TrueType instruction (`CVE-2023-41990`). The practical lesson is that **fonts are image-parser cousins** for zero-click work: rich-text previews, font fallback, and thumbnail generation can all become parser entry points even when the app claims to only support "documents" or "stickers".
+
+The repeating audit question is therefore: **which message types cause silent parsing in a process other than the obvious chat renderer?** That is usually where the chain begins. For sample triage and cross-field consistency checks once you have a suspicious file, reuse [this generic structural file-format detection page](../../generic-methodologies-and-resources/basic-forensic-methodology/specific-software-file-type-tricks/structural-file-format-exploit-detection.md).
+
 ## Samsung vendor image parser parallels
 
 Samsung’s bulletin for CVE-2025-21043 confirmed that their proprietary image parsing stack (used by Gallery, Messages, and also indirectly by WhatsApp) suffered an **out-of-bounds write** reachable through untrusted media. The exploitation methodology mirrors the Apple chain:
@@ -109,5 +132,7 @@ Once an OOB write exists in the vendor parser, combining it with the WhatsApp au
 ## References
 
 - [DNGerousLINK: A Deep Dive into WhatsApp 0-Click Exploits on iOS and Samsung Devices](https://media.ccc.de/v/39c3-dngerouslink-a-deep-dive-into-whatsapp-0-click-exploits-on-ios-and-samsung-devices)
+- [Project Zero: Blasting Past WebP](https://projectzero.google/2025/03/blasting-past-webp.html)
+- [Quarkslab: Reverse engineering of Apple's iOS 0-click CVE-2025-43300](https://blog.quarkslab.com/patch-analysis-of-Apple-iOS-CVE-2025-43300.html)
 
 {{#include ../../banners/hacktricks-training.md}}