I Learned

Twitter account Mastodon account RSS Feed

Pegasus, at the crossroads of technology and politics

Article publish on · Written by · Read time

On July 18, 2021 at 7pm, Amnesty International reveals in an investigation in collaboration with Forbidden Stories that the Pegasus software, published by the Israeli company NSO Group, has been used for spying on political activists, journalists, members of NGOs etc. A few days later, we learned that the Moroccan state had bought its spying solution from NSO in order to wiretap many French ministers, but also Edwy Plenel, Eric Zemmour and Emmanuel Macron. This software had already been put under the spotlight in 2016 by Citizen Lab to denounce the same kind of practices. In this article we will analyze the technical aspect of Pegasus spyware in its iOS version.

First Revelation, 2016 - Trident

In 2016, Lookout published a whitepaper detailing the technical operation of Pegasus on iOS. The modus operandi of this spyware is relatively simple, a message containing a link is sent to the target, when the target clicks on the link a 0day vulnerability is exploited on the victim's phone, and the spyware installs itself.

Schematic showing a malicious link infection

In order to infect the victim's phone, the Pegasus malware uses three different vulnerabilities, the first one is CVE-2016-4657. - A CVE is a publicly disclosed security vulnerability, it stands for Common Vulnerabilities and Exposures. - This CVE consists of a vulnerability in the way Webkit, the web page rendering engine used by iOS, interprets JavaScript, and more specifically in the arrayProtoFuncSlice function which simply allows an array to be split at a specific point.

var a = [1, 2, 3, 4];
var s = a.slice(1, 3);
// s = [2, 3]

Thanks to this vulnerability, which we will not see in detail here due to the complexity of its operation, a malicious JavaScript code can write to places in the memory that it should not have access to, so an attacker can execute code directly on the system from a web page.

Once this flaw is exploited, Pegasus uses a second one, CVE-2016-4655.

To understand this vulnerability, it is necessary to understand what the Kernel ASLR is. When trying to attack a system and more specifically when trying to rotate from kernel land to userland, it can be interesting to know the position (address) of the Kernel in the RAM, if this address was static it would be trivial to get it. To avoid this, there is a function called KASLR (Kernel Address Space Layout Randomization). With KASLR, every time the device is rebooted, the kernel address is shifted by a random value, called kernel slide, generated by the bootloader. This feature is not specific to iOS, it is also present on Linux, BSD (so MacOS) and Windows.

CVE-2016-4655 allows an attacker to calculate this kernel slide and thus the position of the Kernel in RAM, which will be useful to exploit the last CVE of our triptych, the CVE-2016-4656.

This CVE is a Use-After-Free vulnerability, to reference a location in the memory that has been freed, but whose address would still be present in the code. The exploit then manages to overwrite the object present at this address and force the execution of a malicious code, which will therefore have high privileges, in this case, it will be Kernel level. Once these privileges are acquired, Pegasus can rotate to obtain administrator privileges, jailbreak the device, install itself with these so-called administrator privileges and thus be able to spy on the user's conversations.

Schema showing the principle of a UFA vulnerability

In order to remain as discreet as possible, the address of C2 (Command & Control, the central server responsible for sending commands to the phone and receiving information) is hidden in a seemingly innocuous Google account authentication SMS.

Your Google Verification code is:5678429 http://gmail.com/?z=G&i=1:aalaan.tv:443,1:manoraonlinu.nut:443&s=Λ�=&�

We can see that in the i parameter, the C2 address is hidden. According to Lookout's analysis, the last digit of the verification code would correspond to the "instruction number", here 9. Thus, even without internet access it is possible for NSO Group to interact with an infected phone.

To achieve its goals, Pegasus uses three different 0day! This shows the advanced sophistication of the software of the Israeli firm. The use of three 0day flaws also shows that the financial means put in place to create Pegasus are extremely important.

La CVE-2016-4657 permet d'obtenir une RCE, puis la CVE-2016-4655 permet de trouver le kernel slide. Enfin, la CVE-2016-4656 permet de jailbreak l'appareil et d'installer Pegasus

A business of sprawling proportions, 2021 - Megalodon

On June 18, 2021, Amnesty International's investigative unit revealed in a [whitepaper] (https://www.amnesty.org/en/latest/research/2021/07/forensic-methodology-report-how-to-catch-nso-groups-pegasus/) the new operating mode of Pegasus, and in particular the existence of the so-called `0click' vulnerability. This vulnerability allows an attacker, through a simple iMessage, to infect a phone. Amnesty was able to recover from iCloud backups a number of email address corresponding to the iCloud accounts used to infect the target phones.

To camouflage itself, Pegasus uses names for its processes that are very similar to those used by iOS.

Here are some examples:

Process name used by Pegasus Original process name
ABSCarryLog ASPCarryLog
aggregatenotd aggregated
ckkeyrollfd ckkeyrolld
com.apple.Mappit.SnapshotService com.apple.MapKit.SnapshotService
com.apple.rapports.events com.apple.rapport.events
CommsCenterRootHelper CommCenterRootHelper

The Amnesty Security Lab was also able to detect that applications like Apple Music were used as attack vectors.

vx-underground published files that they claim are the Android version of Pegasus, however, the company ZecOps was able to analyze these files that according to them, would not belong to Pegasus.

All of these new techniques remain relatively unclear, in fact, Amnesty International was unable to recover the Pegasus binary to analyze it, as it was encrypted. Without this reverse engineering, no CVE could be published.

Beyond the technique

The following paragraph, more political, is an editorial, it reflects only the opinion of its author.

Beyond the technical aspect, this case is above all political. It shows once again that in the era of an increasingly computerized, increasingly globalized world, it is easy for the intelligence services of anti-democratic states - such as Morocco, which according to Amnesty International bought its solution from NSO Group - to spy on just about anyone at the other end of the planet. The Pegasus affair finally shows that, despite the general public's opinion against the surveillance of electronic communications, the governments of the various countries continue to carry out these practices in the greatest secrecy. This distance between the opinion of the majority of the population and the decisions taken by our governments is a sign of the failure of our political systems.

RSS · Twitter · Mastodon