Levilutz/CVE-2021-30860

Scan for evidence of CVE-2021-30860 (FORCEDENTRY) exploit

CVE-2021-30860

CVE-2021-30860 (FORCEDENTRY) is a known vulnerability in MacOS, iOS, and WatchOS. It allows arbitrary code execution by sending a victim device a "maliciously crafted PDF".

This vulnerability was patched by Apple on September 13, 2021 with the following versions:

• iOS 14.8
• OSX Big Sur 11.6, Security Update 2021-005 Catalina
• WatchOS 7.6.2

However, it has been exploited in the wild since February 2021 or earlier.

Purpose

To detect evidence of past exploit on MacOS computers or iPhones (by scanning a local backup to a Mac). This is not meant to defend against future attack or undo effects of prior attack. This is not meant to detect past exploit on Apple Watches or iPads.

Methods

Two distinct methods are used here to detect evidence of prior exploit.

Initial attack evidence

The well-known attack vector using this vulnerability is sending malicious PDF or PSD files (falsely labelled as GIFs) via SMS. The scripts here scan a Mac's or iPhone backup's received message attachments for ".gif" files whose file signature does not match a GIF's. It's worth noting that receiving the files doesn't necessarily mean a device was compromised, espeically if the file(s) were received after the security update was installed to the device.

Imperfect cleanup

The attacks NSO Group carried out using this vulnerability had at least one bug in their cleanup phase. Evidence is left on an iPhone as an inconsistency in a particular sql database. Citizenlab demonstrated a simple SQL query on this database that can detect the relevant inconsistency.

Requirements

Required for all scans

• A computer running MacOS 11.0 or higher.
• A Python 3 installation.

Required only for iPhone scans

• An unencrypted full local backup of the iPhone in concern.
• An install of iPhone backup tools, used for scanning iphone backups.

Preparation and Usage

1. Ensure all requirements met.
2. Download this repository and navigate to its folder in the terminal.
3. Run python3 cve_scan.py to scan using default options, or python3 cve_scan.py -h for help.

Examples

1. Scan this Mac only: python3 cve_scan.py --mode mac
2. Scan an iPhone backup only: python3 cve_scan.py --mode iphone
3. Scan an iPhone messages only: python3 cve_scan.py --mode iphone --method attachments
4. Scan an iPhone datausage db only: python3 cve_scan.py --mode iphone --method datausagedb
5. Scan the most recent iPhone backup: python3 cve_scan.py --mode iphone --backups newest

References

• MITRE CVE Page
• Apple support document
• Citizenlab Article