[~]mobilehackerforhire$ hire --now
    cd ../exploit-db
    root@mhfh:~#cat /var/db/exploits/CVE-2023-41064.json
    exploits/CVE-2023-41064.md
    CVE-2023-41064iOS0-clickCritical

    BLASTPASS ImageIO 0-click

    affected
    ≤16.6
    disclosed
    2023-09-07
    discovered
    2023-09-05
    patched
    2023-09-07 (iOS 16.6.1)
    author
    Citizen Lab
    platform
    iOS

    ## description

    A buffer overflow in ImageIO when handling a maliciously crafted image delivered through a PassKit attachment in iMessage. Used by NSO Group to deliver Pegasus 0-click.

    ## impact

    Zero-click RCE via iMessage. No user interaction required. Bypasses BlastDoor.

    ## mitigation

    iOS 16.6.1+. Lockdown Mode blocks PassKit attachment processing.

    ## proof of concept

    # Forge malicious WebP with VP8L huffman overflow
python3 forge_webp.py --huff-overflow 0x4141 --out blast.webp
python3 wrap_pkpass.py --payload blast.webp --recipient target@icloud

    ## downloads

    blast-sample.webp
    Forged WebP sample
    61 KB
    blastdoor-notes.pdf
    BlastDoor analysis notes
    412 KB

    ## references