Merge branch 'master' of github.com:HackTricks-wiki/hacktricks

src/SUMMARY.md

@@ -795,6 +795,7 @@
     - [BF Forked & Threaded Stack Canaries](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md)
     - [Print Stack Canary](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md)
 - [Write What Where 2 Exec](binary-exploitation/arbitrary-write-2-exec/README.md)
+  - [Aw2exec Sips Icc Profile](binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md)
   - [WWW2Exec - atexit()](binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md)
   - [WWW2Exec - .dtors & .fini_array](binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md)
   - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)

src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md

@@ -0,0 +1,55 @@
+# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236).
+
+## Vulnerable Code
+
+The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer:
+
+```c
+// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
+for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
+    if (i > numberOfInputChannels && buffer[i] != 0)
+        buffer[i] = 0;
+}
+```
+
+Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata.
+
+## Exploitation Steps
+
+1. **Craft malicious `.icc` profile:**
+   - Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry.
+   - In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`).
+   - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata.
+2. **Trigger parsing:**
+
+   ```bash
+   sips --verifyColor malicious.icc
+   ```
+
+3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process.
+
+## Impact
+
+Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility.
+
+## Detection
+
+- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).  
+- Inspect transferred files with signature `acsp`.  
+- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`.  
+- Flag as suspicious if this condition is met.
+
+## References
+
+- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility  
+  https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos  
+- Apple October 2024 Security Update (patch shipping CVE-2024-44236)  
+  https://support.apple.com/en-us/121564
+
+{{#include /banners/hacktricks-training.md}}

src/binary-exploitation/array-indexing.md

@@ -19,3 +19,5 @@ However he you can find some nice **examples**:
 
 
 
+
+{{#include /banners/hacktricks-training.md}}

src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md

@@ -122,3 +122,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca
 
 
 
+
+{{#include /banners/hacktricks-training.md}}

src/binary-exploitation/libc-heap/use-after-free/first-fit.md

@@ -65,3 +65,5 @@ d = malloc(20);   // a
 
 
 
+
+{{#include /banners/hacktricks-training.md}}

src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md

@@ -172,3 +172,5 @@ Allow the process to **ask for all the TCC permissions**.
 
 
 
+
+{{#include /banners/hacktricks-training.md}}

src/mobile-pentesting/android-app-pentesting/flutter.md

@@ -79,3 +79,5 @@ Flutter itself **ignores device proxy settings**. Easiest options:
 ## References
 - [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/)
 
+
+{{#include /banners/hacktricks-training.md}}

src/network-services-pentesting/1414-pentesting-ibmmq.md

@@ -363,3 +363,5 @@ CONTAINER ID   IMAGE                                COMMAND                  CRE
 
 
 
+
+{{#include /banners/hacktricks-training.md}}

src/network-services-pentesting/pentesting-web/spring-actuators.md

@@ -67,3 +67,5 @@ Connection: close
 
 
 
+
+{{#include /banners/hacktricks-training.md}}

src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md

@@ -55,3 +55,5 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\
 
 
 
+
+{{#include /banners/hacktricks-training.md}}