Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/msuiche/elegant-bouncer

ELEGANTBOUNCER is a detection tool for file-based mobile exploits.
https://github.com/msuiche/elegant-bouncer

forensics mobile

Last synced: 2 months ago
JSON representation

ELEGANTBOUNCER is a detection tool for file-based mobile exploits.

Host: GitHub
URL: https://github.com/msuiche/elegant-bouncer
Owner: msuiche
Created: 2022-11-22T12:51:13.000Z (about 2 years ago)
Default Branch: main
Last Pushed: 2023-12-30T13:57:23.000Z (about 1 year ago)
Last Synced: 2024-07-08T16:40:25.676Z (6 months ago)
Topics: forensics, mobile
Language: Rust
Homepage: https://www.msuiche.com
Size: 4.56 MB
Stars: 28
Watchers: 1
Forks: 2
Open Issues: 0
Metadata Files:
- Readme: README.md

Awesome Lists containing this project

awesome-rust-security - elegant-bouncer - experimental tool for detection of the FORCEDENTRY (CVE-2021-30860) (Threat Detection and Forensics / Packing, Obfuscation, Encryption, Anti-analysis)

README

        ![alt text](banner.png) 

# ELEGANTBOUNCER

ELEGANTBOUNCER is a detection tool for file-based mobile exploits.

It employs an innovative approach for advanced file-based threat identification, eliminating the need for in-the-wild samples and outperforming traditional methods based on regular expressions or IOCs. At present, it primarily targets the identification of mobile vulnerabilities such as FORCEDENTRY (CVE-2021-30860), BLASTPASS (CVE-2023-4863, CVE-2023-41064), and TRIANGULATION (CVE-2023-41990).

## Support Table

| Threat Name    | CVEs                            | Supported          |

|----------------|---------------------------------|--------------------|

| FORCEDENTRY    | CVE-2021-30860                  | :white_check_mark: |

| BLASTDOOR      | CVE-2023-4863, CVE-2023-41064   | :white_check_mark: |

| TRIANGULATION  | CVE-2023-41990                  | :white_check_mark: |

![output of the detection tool](./documentation/elegantbouncer.png)

### Learn more

- [FORCEDENTRY](documentation/FORCEDENTRY.md)

- [BLASTPASS](documentation/BLASTPASS.md)

## Getting started

```

elegant-bouncer v0.2

ELEGANTBOUNCER Detection Tool

Detection tool for file-based mobile exploits.

A utility designed to detect the presence of known mobile APTs in commonly distributed files.

Usage: elegant-bouncer [OPTIONS] 

Arguments:

  

          Path to the input file

Options:

  -v, --verbose

          Print extra output while parsing

  -s, --scan

          Assess a given file, checking for known vulnerabilities

  -c, --create-forcedentry

          Create a FORCEDENTRY-like PDF

  -h, --help

          Print help information (use `-h` for a summary)

  -V, --version

          Print version information

```

### scan

Use `--scan` to assess a given file, checking for known vulnerabilities.

### create-forcedentry

Use `--create-forcedentry` to generate a PDF from the ground up designed to exploit CVE-2021-30860. Work in progress.

Note: Pre-made samples can be found in the [`samples/`](tests/samples/) directory.

## Recommendations

Use [**Lockdown Mode**](https://support.apple.com/en-us/HT212650) to decrease your attack surface if you think you are a person of interest.

## Acknowledgements

- [Valentin Pashkov, Mikhail Vinogradov, Georgy Kucherin (@kucher1n), Leonid Bezvershenko (@bzvr_), and Boris Larin (@oct0xor) of Kaspersky](https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/)

- [Apple Security Engineering and Architecture (SEAR)](https://bugs.chromium.org/p/chromium/issues/detail?id=1479274)

- [Bill Marczack](https://twitter.com/@billmarczak)

- [Jeff](https://twitter.com/jeffssh/status/1474605696020881409) for helping me understand FORCEDENTRY

- [Valentina](https://twitter.com/chompie1337) for suggesting this target

- [Ian Beer](https://twitter.com/i41nbeer) and [Samuel Groß](https://twitter.com/5aelo) of Google Project Zero for their amazing write-up on the sample shared by Citizen Lab with them.

- [@mistymntncop](https://twitter.com/mistymntncop) for our exchanges and his work on [CVE-2023-4863](https://github.com/mistymntncop/CVE-2023-4863)

- [Ben Hawkes](https://blog.isosceles.com/the-webp-0day/)

## References

- [Researching Triangulation: Detecting CVE-2023-41990 with single byte signatures.](https://www.msuiche.com/posts/researching-triangulation-detecting-cve-2023-41990-with-single-byte-signatures./)

- [Researching FORCEDENTRY: Detecting the Exploit With No Samples](https://www.msuiche.com/posts/researching-forcedentry-detecting-the-exploit-with-no-samples/)

- [Researching BLASTPASS: Detecting the exploit inside a WebP file - Part 1](https://www.msuiche.com/posts/researching-blastpass-detecting-the-exploit-inside-a-webp-file-part-1/)

- [Researching BLASTPASS: Analysing the Apple & Google WebP POC file - Part 2](https://www.msuiche.com/posts/researching-blastpass-analysing-the-apple-google-webp-poc-file-part-2/)