Description

On December 27, 2023, Boris Larin presented Operation Triangulation at the 37th Chaos Communication Congress (37C3). The presentation detailed the results of a long-term research project into this sophisticated 0-click iMessage attack, which used four zero-days and targeted iOS versions up to 16.2. The attack chain involved sending a malicious iMessage attachment that exploited a remote code execution vulnerability in the ADJUST TrueType font instruction (CVE-2023-41990) and then chained multiple exploits, including return/jump oriented programming, JavaScriptCore library privilege escalation exploits, and hardware memory protection bypasses. The attackers gained full control over the device by using an unknown hardware feature of Apple-designed SoCs to write data to a certain physical address while bypassing the hardware-based memory protection. This allowed them to manipulate JavaScriptCore's memory and execute native API functions, ultimately loading spyware onto the device.