The NSO BLASTPASS iMessage exploit was a zero-click, zero-day vulnerability that compromised iPhones running the latest version of iOS without any interaction from the victim. The exploit involved PassKit attachments containing malicious images sent from an attacker iMessage account to the victim. Apple issued an out-of-band security update for iOS on September 7, 2023, to fix the vulnerability. The WebP team also released a proposed fix for the issue, which was later integrated into Chrome.The root cause of the vulnerability was a memory corruption issue in the WebP lossless image format, specifically in the Huffman coding used in the format. The vulnerability allowed an attacker to define invalid Huffman trees, which could cause memory corruption when the decoding table was built. However, the corruption primitive was limited, and the image parsing would stop shortly after the bug was triggered.The exploitation of the vulnerability was a mystery, as it was unclear how to land an exploit in a one-shot, zero-click setup. The corruption primitive was very limited, and without access to the samples, it was almost impossible to know how to exploit the vulnerability.In mid-November, the author obtained a number of BLASTPASS PKPass sample files and crash logs from failed exploit attempts, which allowed them to analyze the samples and figure out how the exploit worked. The analysis revealed that the vulnerability was exploited by sending a malicious image file that triggered the memory corruption issue, and then using the limited corruption primitive to execute arbitrary code.The WebP format is a relatively modern image file format that uses Huffman coding to compress images. The lossless format uses a RIFF container and a separate lossless format, which is where the vulnerability was found. The vulnerability was in the Huffman coding used in the lossless format, specifically in the way that the decoding table was built.The author's analysis of the samples revealed that the exploit used a combination of techniques to execute arbitrary code, including using the limited corruption primitive to overwrite a function pointer and then executing the malicious code. The analysis also revealed that the exploit was highly sophisticated and required a deep understanding of the WebP format and the Huffman coding used in it.Overall, the NSO BLASTPASS iMessage exploit was a highly sophisticated and complex vulnerability that required a deep understanding of the WebP format and the Huffman coding used in it. The exploitation of the vulnerability was a mystery, but the analysis of the samples revealed that it was possible to execute arbitrary code using a combination of techniques.