Recon 2025 - A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit

Описание: Recon 2025 - A Trip to Ancient BABYLON: Unearthing a 2017 Pegasus Persistence Exploit

Presenters: Daniel Roethlisberger and Bill Marczak

In mid-2024, we noticed an interesting upload to VirusTotal: an old sample of NSO Group’s Pegasus spyware designed for iOS 10. We quickly realized that the sample was calibrated to a specific victim device, and might contain an exploit. Through static analysis, we identified three ROP/JOP chains, and sketched a rough idea of the vulnerability. But without a match for the specific device, had to dig deeper to unlock all of the exploit’s secrets.
This talk will describe how we emulated enough of iOS 10 to load the vulnerable executables and their address spaces in a historically accurate manner, matching the victim’s hardware. We will describe our investigation, which revealed a heretofore un-published novel Pegasus persistence exploit from 2017. We will analyze the root-cause of the vulnerability, detail how the exploit leveraged it to gain code execution after boot, and explain how the vulnerability was (silently) mitigated. We will also describe a curious case of code reuse we identified that raises interesting questions about exploit supply chains: we were able to establish that a second threat actor likely used the same persistence exploit in 2017. Furthermore, we identified a third threat actor that shared the same post-exploit code as the first two.