maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #1041 from HackTricks-wiki/update_CVE-2024-44236__Remote_Code_Execution_in_Apple_mac_20250708_181937

Browse Source 
Add content: CVE-2024-44236 Remote Code Execution in Apple macOS sips Uti...
This commit is contained in:
SirBroccoli 2025-07-08 18:26:49 +02:00 committed by GitHub
commit 5632f8f6b3
21 changed files with 83 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/SUMMARY.md
View File

@ -795,6 +795,7 @@
- [BF Forked & Threaded Stack Canaries](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md)
- [Print Stack Canary](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md)
- [Write What Where 2 Exec](binary-exploitation/arbitrary-write-2-exec/README.md)
- [Aw2exec Sips Icc Profile](binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md)
- [WWW2Exec - atexit()](binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md)
- [WWW2Exec - .dtors & .fini_array](binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md)
- [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)

55
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md Normal file
View File

@ -0,0 +1,55 @@
# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)
{{#include ../../banners/hacktricks-training.md}}
## Overview
An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236).
## Vulnerable Code
The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer:
```c
// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
if (i > numberOfInputChannels && buffer[i] != 0)
buffer[i] = 0;
}
```
Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata.
## Exploitation Steps
1. **Craft malicious `.icc` profile:**
- Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry.
- In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`).
- Place attacker-controlled data immediately after the tag data block to overwrite heap metadata.
2. **Trigger parsing:**
```bash
sips --verifyColor malicious.icc
```
3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process.
## Impact
Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility.
## Detection
- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).
- Inspect transferred files with signature `acsp`.
- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`.
- Flag as suspicious if this condition is met.
## References
- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility
https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos
- Apple October 2024 Security Update (patch shipping CVE-2024-44236)
https://support.apple.com/en-us/121564
{{#include /banners/hacktricks-training.md}}

2
src/binary-exploitation/array-indexing.md
View File

@ -19,3 +19,5 @@ However he you can find some nice **examples**:
{{#include /banners/hacktricks-training.md}}

2
src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
View File

@ -122,3 +122,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca
{{#include /banners/hacktricks-training.md}}

2
src/binary-exploitation/libc-heap/use-after-free/first-fit.md
View File

@ -65,3 +65,5 @@ d = malloc(20); // a
{{#include /banners/hacktricks-training.md}}

2
src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
View File

@ -172,3 +172,5 @@ Allow the process to **ask for all the TCC permissions**.
{{#include /banners/hacktricks-training.md}}

2
src/mobile-pentesting/android-app-pentesting/flutter.md
View File

@ -79,3 +79,5 @@ Flutter itself **ignores device proxy settings**. Easiest options:
## References
- [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/)
{{#include /banners/hacktricks-training.md}}

2
src/network-services-pentesting/1414-pentesting-ibmmq.md
View File

@ -363,3 +363,5 @@ CONTAINER ID IMAGE COMMAND CRE
{{#include /banners/hacktricks-training.md}}

2
src/network-services-pentesting/pentesting-web/spring-actuators.md
View File

@ -67,3 +67,5 @@ Connection: close
{{#include /banners/hacktricks-training.md}}

2
src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
View File

@ -55,3 +55,5 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\
{{#include /banners/hacktricks-training.md}}