|
| 1 | +# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236) |
| 2 | + |
| 3 | +{{#include ../../banners/hacktricks-training.md}} |
| 4 | + |
| 5 | +## Overview |
| 6 | + |
| 7 | +An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236). |
| 8 | + |
| 9 | +## Vulnerable Code |
| 10 | + |
| 11 | +The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer: |
| 12 | + |
| 13 | +```c |
| 14 | +// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1) |
| 15 | +for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) { |
| 16 | + if (i > numberOfInputChannels && buffer[i] != 0) |
| 17 | + buffer[i] = 0; |
| 18 | +} |
| 19 | +``` |
| 20 | + |
| 21 | +Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata. |
| 22 | + |
| 23 | +## Exploitation Steps |
| 24 | + |
| 25 | +1. **Craft malicious `.icc` profile:** |
| 26 | + - Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry. |
| 27 | + - In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`). |
| 28 | + - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata. |
| 29 | +2. **Trigger parsing:** |
| 30 | + |
| 31 | + ```bash |
| 32 | + sips --verifyColor malicious.icc |
| 33 | + ``` |
| 34 | + |
| 35 | +3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process. |
| 36 | + |
| 37 | +## Impact |
| 38 | + |
| 39 | +Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility. |
| 40 | + |
| 41 | +## Detection |
| 42 | + |
| 43 | +- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP). |
| 44 | +- Inspect transferred files with signature `acsp`. |
| 45 | +- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`. |
| 46 | +- Flag as suspicious if this condition is met. |
| 47 | + |
| 48 | +## References |
| 49 | + |
| 50 | +- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility |
| 51 | + https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos |
| 52 | +- Apple October 2024 Security Update (patch shipping CVE-2024-44236) |
| 53 | + https://support.apple.com/en-us/121564 |
| 54 | + |
| 55 | +{{#include /banners/hacktricks-training.md}} |
0 commit comments