FORCEDENTRY

FORCEDENTRY
CVE标识符	CVE-2021-30860; CVE-2021-30858;
补丁发布日期	2021年9月
发现者	公民实验室Bill Marczak
受影响软件	苹果CoreGraphics（Quartz）; iOS（版本v14.8之前）; macOS （macOS版本Big Sur 11.6、Catalina Security Update 2021-005之前）; watchOS（版本v7.6.2之前）;

FORCEDENTRY，也作ForcedEntry（意为“强行进入”），是一个据称由NSO集团开发的安全漏洞，用于部署其飞马间谍软件。^[2]^[3]其可实现普遍存在于iOS 13及更低版本的“零点击”漏洞的利用程序，同时也破坏了苹果设置在iOS 14及更高版本中的“BlastDoor”安全措施。2021年9月，苹果发布了多个设备系列的新版本操作系统，其中包含针对该漏洞的修补程序。^[1]^[4]

漏洞利用

该漏洞由公民实验室发现，^[2]其在报告中称，该漏洞已被用于针对政治异议人士和人权活动家。^[5]FORCEDENTRY似乎与先前被国际特赦组织检测到并命名为“Megalodon”的攻击相同。^[6]

该漏洞利用以PDF文件伪装成GIF文件，将JBIG2（英语：JBIG2）编码的数据注入在苹果的CoreGraphics系统中以引发整数溢出，^[7]^[8]绕过了苹果为消息内容设置的“BlastDoor”沙盒。BlastDoor作为iOS 14的组成引入，旨在防御另一个零点击漏洞KISMET。^[2]^[9]^[10]FORCEDENTRY漏洞被赋予的CVE标识符为CVE-2021-30860。^[8]2021年12月，谷歌的Project Zero团队基于与苹果的安全工程与架构（SEAR）小组的合作，发表了该漏洞的技术分析。^[11]^[12]

Project Zero团队对该漏洞的描述如下：

JBIG2没有脚本功能，但当与漏洞结合使用时，它的确能够模拟在任意内存上运行的任意逻辑门电路。那么怎么不直接用它来构建一个自己的计算机架构再写脚本！？这正就是该漏洞利用所为。他们使用超过70,000个定义逻辑位运算的段命令，定义了一个小计算机架构，其功能包括寄存器和一个完整的64位加法器和比较器，他们使用这些功能来搜索内存并执行算术运算。它没有Javascript那么快，但是在计算上是基本等效的。沙盒逃逸漏洞利用程序的引导操作被编写为在这个逻辑电路上运行，整个过程都在这种怪异、模拟的环境中运行，这个环境是通过JBIG2流的单次解压缩过程创建的。这非常难以置信，同时也很可怖。^[11]

根据公民实验室的说法，FORCEDENTRY漏洞存在于iOS版本14.8之前、macOS版本Big Sur 11.6和Catalina Security Update 2021-005之前，以及watchOS版本7.6.2之前。^[9]

苹果官司

2021年11月，苹果公司就FORCEDENTRY向美国加利福尼亚北区联邦地区法院对NSO集团及其母公司Q Cyber Technologies提起诉讼，请求禁令救济、补偿性赔偿、惩罚性赔偿和利润交出（英语：Disgorgement）^[13]^[14]^[15]，然而在2024年请求法院撤销诉讼。^[16]^[17]

参见

参考文献

^ ^1.0 ^1.1 ^1.2 Israeli spyware firm targeted Apple devices via iMessage, researchers say. the Guardian. 2021-09-13 [2021-09-13] （英语）.
^ ^2.0 ^2.1 ^2.2 Apple fixes iOS zero-day used to deploy NSO iPhone spyware. BleepingComputer. [2021-09-14] （美国英语）.
^ Apple patches ForcedEntry vulnerability used by spyware firm NSO. ComputerWeekly.com. [2021-09-14] （英语）.
^ Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!. Naked Security. 2021-09-14 [2021-09-14] （美国英语）.
^ Marczak, Bill; Abdulemam, Ali; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Scott-Railton, John; Deibert, Ron. Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits. Citizenlab. 24 August 2021 [24 August 2021].
^ Bahrain targets activists with NSO's Pegasus spyware. IT PRO. 24 August 2021 [2021-09-15] （英语）.
^ Claburn, Thomas. Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware. www.theregister.com. [2021-09-15] （英语）.
^ ^8.0 ^8.1 About the security content of macOS Big Sur 11.6. Apple Support. [2021-09-14] （英语）.
^ ^9.0 ^9.1 Marczak, Bill; Scott-Railton, John; Razzak, Bahr Abdul; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Deibert, Ron. FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild. The Citizen Lab. 2021-09-13 [2021-09-13] （美国英语）.
^ New iOS Zero-Click Exploit Defeats Apple 'BlastDoor' Sandbox. www.securityweek.com. 24 August 2021 [2021-09-14].
^ ^11.0 ^11.1 Beer, Ian; Groß, Samuel. Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution. Google Project Zero. 2021-12-15 [2021-12-16].
^ Google Project Zero Goes Deep on FORCEDENTRY Exploit Used by NSO Group. 15 December 2021.
^ Kirchgaessner, Stephanie. Apple sues Israeli spyware firm NSO Group for surveillance of users. the Guardian. 2021-11-23 [2021-11-23] （英语）.
^ Apple sues NSO Group to curb the abuse of state-sponsored spyware. Apple Newsroom. 2021-11-23 [2021-11-23] （美国英语）.
^ APPLE INC., v. NSO GROUP TECHNOLOGIES LIMITED, and Q CYBER TECHNOLOGIES LIMITED (PDF). [2021-11-23].
^ Apple seeks to drop its lawsuit against Israeli spyware pioneer NSO.
^ Israel tried to frustrate US lawsuit over Pegasus spyware, leak suggests.

[the-guardian-vuln-1] 1.0 ^1.1 ^1.2 Israeli spyware firm targeted Apple devices via iMessage, researchers say. the Guardian. 2021-09-13 [2021-09-13] （英语）.

[bleepingcomputer-2] 2.0 ^2.1 ^2.2 Apple fixes iOS zero-day used to deploy NSO iPhone spyware. BleepingComputer. [2021-09-14] （美国英语）.

[3] Apple patches ForcedEntry vulnerability used by spyware firm NSO. ComputerWeekly.com. [2021-09-14] （英语）.

[4] Apple products vulnerable to FORCEDENTRY zero-day attack – patch now!. Naked Security. 2021-09-14 [2021-09-14] （美国英语）.

[5] Marczak, Bill; Abdulemam, Ali; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Scott-Railton, John; Deibert, Ron. Bahraini Government Hacks Activists with NSO Group Zero-Click iPhone Exploits. Citizenlab. 24 August 2021 [24 August 2021].

[6] Bahrain targets activists with NSO's Pegasus spyware. IT PRO. 24 August 2021 [2021-09-15] （英语）.

[7] Claburn, Thomas. Apple emergency patches fix zero-click iMessage bug used to inject NSO spyware. www.theregister.com. [2021-09-15] （英语）.

[Apple-8] 8.0 ^8.1 About the security content of macOS Big Sur 11.6. Apple Support. [2021-09-14] （英语）.

[citizenlab-2021-09-13-9] 9.0 ^9.1 Marczak, Bill; Scott-Railton, John; Razzak, Bahr Abdul; Al-Jizawi, Noura; Anstis, Siena; Berdan, Kristin; Deibert, Ron. FORCEDENTRY: NSO Group iMessage Zero-Click Exploit Captured in the Wild. The Citizen Lab. 2021-09-13 [2021-09-13] （美国英语）.

[10] New iOS Zero-Click Exploit Defeats Apple 'BlastDoor' Sandbox. www.securityweek.com. 24 August 2021 [2021-09-14].

[projectzero-11] 11.0 ^11.1 Beer, Ian; Groß, Samuel. Project Zero: A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution. Google Project Zero. 2021-12-15 [2021-12-16].

[12] Google Project Zero Goes Deep on FORCEDENTRY Exploit Used by NSO Group. 15 December 2021.

[13] Kirchgaessner, Stephanie. Apple sues Israeli spyware firm NSO Group for surveillance of users. the Guardian. 2021-11-23 [2021-11-23] （英语）.

[14] Apple sues NSO Group to curb the abuse of state-sponsored spyware. Apple Newsroom. 2021-11-23 [2021-11-23] （美国英语）.

[15] APPLE INC., v. NSO GROUP TECHNOLOGIES LIMITED, and Q CYBER TECHNOLOGIES LIMITED (PDF). [2021-11-23].

[16] Apple seeks to drop its lawsuit against Israeli spyware pioneer NSO.

[17] Israel tried to frustrate US lawsuit over Pegasus spyware, leak suggests.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

[13]

[14]

[15]

[16]

[17]