Scan for evidence of CVE-2021-30860 (FORCEDENTRY) exploit# CVE-2021-30860
CVE-2021-30860 (FORCEDENTRY) is a known vulnerability in MacOS, iOS, and WatchOS. It allows arbitrary code execution by sending a victim device a "maliciously crafted PDF".
This vulnerability was patched by Apple on September 13, 2021 with the following versions:
* iOS 14.8
* OSX Big Sur 11.6, Security Update 2021-005 Catalina
* WatchOS 7.6.2
However, it has been exploited in the wild since February 2021 or earlier.
## Purpose
To detect evidence of past exploit on MacOS computers or iPhones (by scanning a local backup to a Mac).
This is _not_ meant to defend against future attack or undo effects of prior attack. This is _not_ meant to detect past exploit on Apple Watches or iPads.
## Methods
Two distinct methods are used here to detect evidence of prior exploit.
### Initial attack evidence
The well-known attack vector using this vulnerability is sending malicious PDF or PSD files (falsely labelled as GIFs) via SMS. The scripts here scan a Mac's or iPhone backup's received message attachments for ".gif" files whose [file signature](https://en.wikipedia.org/wiki/List_of_file_signatures) does not match a GIF's. It's worth noting that receiving the files doesn't necessarily mean a device was compromised, espeically if the file(s) were received after the security update was installed to the device.
### Imperfect cleanup
The attacks NSO Group carried out using this vulnerability had at least one bug in their cleanup phase. Evidence is left on an iPhone as an inconsistency in a particular sql database. [Citizenlab demonstrated](https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/) a simple SQL query on this database that can detect the relevant inconsistency.
## Requirements
### Required for all scans
* A computer running MacOS 11.0 or higher.
* A [Python 3](https://www.python.org/) installation.
### Required only for iPhone scans
* An [_unencrypted_ full local backup](https://support.apple.com/en-us/HT205220) of the iPhone in concern.
* An install of [iPhone backup tools](https://github.com/richinfante/iphonebackuptools), used for scanning iphone backups.
## Preparation and Usage
1. Ensure all requirements met.
2. Download this repository and navigate to its folder in the terminal.
3. Run `python3 cve_scan.py` to scan using default options, or `python3 cve_scan.py -h` for help.
## Examples
1. Scan this Mac only: `python3 cve_scan.py --mode mac`
2. Scan an iPhone backup only: `python3 cve_scan.py --mode iphone`
3. Scan an iPhone messages only: `python3 cve_scan.py --mode iphone --method attachments`
4. Scan an iPhone datausage db only: `python3 cve_scan.py --mode iphone --method datausagedb`
5. Scan the most recent iPhone backup: `python3 cve_scan.py --mode iphone --backups newest`
## References
* [MITRE CVE Page](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-30860)
* [Apple support document](https://support.apple.com/en-us/HT212807)
* [Citizenlab Article](https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage-zero-click-exploit-captured-in-the-wild/)
[4.0K] /data/pocs/9e54d33ff9447a250506dd7c71a2ac1982344313
├── [4.3K] core.py
├── [4.3K] cve_scan.py
├── [1.0K] LICENSE
├── [3.0K] README.md
└── [ 709] util.py
0 directories, 5 files