https://news.ycombinator.com/item?id=43025038
This might be a weird corner case where Apple would outbid the grey market, but generally even though Apple comes in lower than the grey market (for these very specific kinds of vulnerabilities), the term sheets are different, and the rest of the terms tend to favor going with Apple.
We recorded a podcast with Mark Dowd a year ago where he said nobody actually gets "list prices" for iOS full chain at $2.5MM (you can make considerably more than that by selling to multiple parties and by selling maintenance) --- and that's iOS, the highest-valued vulnerabilities.
The DNG file did have the 01 byte at `2FD00` (from xxd or hexdump -C). However it didn't have a byte position `3E40B`. I tried searching and there is literally no entry at that position. I found a 02 value at 3e40 but not at 3e40b. Is this a typo?
Where did you find it to try and repro?
Did you find a 02 at 3E40B? I found 01 at 2FD00, but there was no 3E40B byte position entry.
I did find something similar at 00003e40: 00003e40 02 00 04 00 0a 00 00 00 30 01 00 00 00 00 00 00 |........0.......|
dd status=none if=IMGP0847.DNG bs=1 skip=0x3e40b count=1 | xxd
00000000: 02Curious if you (clearly smarter than me) know why it didn't show correctly in the xxd or hexdump for the file. Would love to learn.
xxd IMGP0847.DNG | grep 03e400:
0003e400: ffd8 ffc3 000e 0e10 800c 5002 0011 0001 ..........P.....
I'm actually really curious about how the ITW exploit for this CVE worked; the OOB write is quite obvious in hindsight but going from OOB write to execution on iOS is very much not easy these days, and going from OOB write to sandbox escape should be extremely hard, especially since I thought (?) all image previews in iMessage should be behind BlastDoor. There's a lot of interesting stuff that's still missing here.
See my other comment. There's an exploit in the wild that uses this bug to get RCE, but this specific example just causes a crash.
> I'm actually really curious about how the ITW exploit for this CVE worked
It's really weird to see only a single OOB write patched for a full 0-click chain in the wild - how did they get code execution? PAC+ASLR bypass? Sandbox escape/kernel escalation?
Literally only RawCamera is patched in the update - were the other bugs in the chain already patched? Too difficult to patch immediately? (ie - close the front door while working on replacing the other locks?)? Still unknown? (ie - found a crash dump from RawCamera but didn't get as sample of the full chain?)
macOS Ventura 13.7.8 | macOS Sonoma 14.7.8 | macOS Sequoia 15.6.1
iPadOS 17.7.10 | iPadOS 18.6.2 | iOS 18.6.2
Usually, its multiple CVE's in a security update.
Examples:
- https://support.apple.com/en-us/122375 (macOS Ventura 13.7.5)
- https://support.apple.com/en-us/122718 (macOS Ventura 13.7.6)
- https://support.apple.com/en-us/124151 (macOS Ventura 13.7.7)
--------------------------- References/Sources ---------------------------
[0] https://support.apple.com/en-us/124925 -> https://support.apple.com/en-us/124929 | (124925 -> 124929)
https://support.apple.com/en-us/100100
https://nvd.nist.gov/vuln/detail/CVE-2025-43300#vulnConfigur...
> For me, there is only lockdown mode. That is the Apple Experience.
iOS backups can be scanned for the presence of this CVE-2025-43300 DNG processing vulnerability, via OSS tool for iOS forensics, https://github.com/msuiche/elegant-bouncer | https://www.msuiche.com/posts/elegantbouncer-when-you-cant-g...
ELEGANTBOUNCER is a detection tool for file-based mobile exploits. It employs an innovative approach for advanced file-based threat identification, eliminating the need for in-the-wild samples and outperforming traditional methods based on regular expressions or IOCs. At present, it primarily targets the identification of mobile vulnerabilities such as FORCEDENTRY (CVE-2021-30860), BLASTPASS (CVE-2023-4863, CVE-2023-41064), and TRIANGULATION (CVE-2023-41990) [and recently added CVE-2025-43300].
> While reproducing the iOS ITW CVE-2025-43300 (support.apple.com/en-us/124925), we accidentally triggered another old DNG image parsing vulnerability. The analysis is still ongoing.
Traditional detection approaches like YARA rules, IOC matching, and signature-based systems fall apart when:
• You don’t have the actual malicious samples to create signatures from
• The attackers use polymorphic techniques that change file hashes
• The exploit leverages legitimate file format features in unexpected ways
• You need to detect future variants of the same technique
The Philosophy: Structure Over Signatures
ELEGANTBOUNCER takes a fundamentally different approach to threat detection. Instead of looking for specific byte patterns or known-bad indicators, it analyzes the structural properties of files that make exploits possible.I am interested in finding out more on why Yara can't be used to find structural patterns? it is supposed to do a lot more than simple string and byte-pattern matching. Maybe ELEGANTBOUNCER requires keeping/maintaining a complex state machine to evaluate/analyze content?
For non-iOS defense, run GrapheneOS with all the default safeguards enabled.
Identifying an exploit in iOS requires a significant amount of knowledge in how the OS works, what existing exploits are and how you could chain them together to create a larger exploit.
I've have very limited experience, but reading about how some people identify and exploit these things is extremely impressive.
"Fuzzing ImageIO" (2020), https://googleprojectzero.blogspot.com/2020/04/fuzzing-image...
> This blog post discusses an old type of issue, vulnerabilities in image format parsers, in a new(er) context: on interactionless code paths in popular messenger apps. This research was focused on the Apple ecosystem and the image parsing API provided by it: the ImageIO framework. Multiple vulnerabilities in image parsing code were found, reported to Apple or the respective open source image library maintainers, and subsequently fixed. During this research, a lightweight and low-overhead guided fuzzing approach for closed source binaries was implemented and is released alongside this blogpost.
"ImageIO, the infamous iOS Zero Click Attack Vector" (2024), https://r00tkitsmm.github.io/fuzzing/2024/03/29/iOSImageIO.h...
> I used LLDB to examine the testHeader functions, it turned out there are three new testHeader functions for different file formats, such as KTX2 and WebP and ETC, so because they were fairly new I thought maybe they have not been fuzzed by Project Zero... I ported Project Zero’s harness to Jackalope fuzzer.. My fuzzing effort found several vulnerabilities [fixed by Apple]..
I don't see them using Rust when they have their own language under their full control, especially since both are targeting LLVM anyway.
https://citizenlab.ca/2025/06/first-forensic-confirmation-of...
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zer...
https://citizenlab.ca/2021/09/forcedentry-nso-group-imessage...
https://citizenlab.ca/2020/12/the-great-ipwn-journalists-hac...
kirito1337•5mo ago