Skip to content
/ CVE-2021-30860 Public

Scan for evidence of CVE-2021-30860 (FORCEDENTRY) exploit

License

MIT license
11 stars 6 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

Levilutz/CVE-2021-30860

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

18 Commits
.github/workflows
.github/workflows
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
core.py
core.py
 
 
cve_scan.py
cve_scan.py
 
 
util.py
util.py
 
 

Repository files navigation

CVE-2021-30860

CVE-2021-30860 (FORCEDENTRY) is a known vulnerability in MacOS, iOS, and WatchOS. It allows arbitrary code execution by sending a victim device a "maliciously crafted PDF".

This vulnerability was patched by Apple on September 13, 2021 with the following versions:

  • iOS 14.8
  • OSX Big Sur 11.6, Security Update 2021-005 Catalina
  • WatchOS 7.6.2

However, it has been exploited in the wild since February 2021 or earlier.

Purpose

To detect evidence of past exploit on MacOS computers or iPhones (by scanning a local backup to a Mac). This is not meant to defend against future attack or undo effects of prior attack. This is not meant to detect past exploit on Apple Watches or iPads.

Methods

Two distinct methods are used here to detect evidence of prior exploit.

Initial attack evidence

The well-known attack vector using this vulnerability is sending malicious PDF or PSD files (falsely labelled as GIFs) via SMS. The scripts here scan a Mac's or iPhone backup's received message attachments for ".gif" files whose file signature does not match a GIF's. It's worth noting that receiving the files doesn't necessarily mean a device was compromised, espeically if the file(s) were received after the security update was installed to the device.

Imperfect cleanup

The attacks NSO Group carried out using this vulnerability had at least one bug in their cleanup phase. Evidence is left on an iPhone as an inconsistency in a particular sql database. Citizenlab demonstrated a simple SQL query on this database that can detect the relevant inconsistency.

Requirements

Required for all scans

  • A computer running MacOS 11.0 or higher.
  • A Python 3 installation.

Required only for iPhone scans

Preparation and Usage

  1. Ensure all requirements met.
  2. Download this repository and navigate to its folder in the terminal.
  3. Run python3 cve_scan.py to scan using default options, or python3 cve_scan.py -h for help.

Examples

  1. Scan this Mac only: python3 cve_scan.py --mode mac
  2. Scan an iPhone backup only: python3 cve_scan.py --mode iphone
  3. Scan an iPhone messages only: python3 cve_scan.py --mode iphone --method attachments
  4. Scan an iPhone datausage db only: python3 cve_scan.py --mode iphone --method datausagedb
  5. Scan the most recent iPhone backup: python3 cve_scan.py --mode iphone --backups newest

References

About

Scan for evidence of CVE-2021-30860 (FORCEDENTRY) exploit

Resources

Readme

License

MIT license
Activity

Stars

11 stars

Watchers

3 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages