Merge pull request #1041 from HackTricks-wiki/update_CVE-2024-44236__Remote_Code_Execution_in_Apple_mac_20250708_181937

carlospolop · web-flow · commit a87ff2cd52d7 · 2025-07-08T18:26:49.000+02:00
Add content: CVE-2024-44236 Remote Code Execution in Apple macOS sips Uti...
diff --git a/src/AI/AI-llm-architecture/1.-tokenizing.md b/src/AI/AI-llm-architecture/1.-tokenizing.md
@@ -99,4 +99,4 @@ print(token_ids[:50])
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/AI/AI-llm-architecture/2.-data-sampling.md b/src/AI/AI-llm-architecture/2.-data-sampling.md
@@ -241,4 +241,4 @@ tensor([[  367,  2885,  1464,  1807],
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/AI/AI-llm-architecture/3.-token-embeddings.md b/src/AI/AI-llm-architecture/3.-token-embeddings.md
@@ -219,4 +219,4 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256])
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/AI/AI-llm-architecture/5.-llm-architecture.md b/src/AI/AI-llm-architecture/5.-llm-architecture.md
@@ -702,4 +702,4 @@ print("Output length:", len(out[0]))
 - [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/SUMMARY.md b/src/SUMMARY.md
@@ -795,6 +795,7 @@
     - [BF Forked & Threaded Stack Canaries](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md)
     - [Print Stack Canary](binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/print-stack-canary.md)
 - [Write What Where 2 Exec](binary-exploitation/arbitrary-write-2-exec/README.md)
+  - [Aw2exec Sips Icc Profile](binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md)
   - [WWW2Exec - atexit()](binary-exploitation/arbitrary-write-2-exec/www2exec-atexit.md)
   - [WWW2Exec - .dtors & .fini_array](binary-exploitation/arbitrary-write-2-exec/www2exec-.dtors-and-.fini_array.md)
   - [WWW2Exec - GOT/PLT](binary-exploitation/arbitrary-write-2-exec/aw2exec-got-plt.md)
diff --git a/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md b/src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md
@@ -0,0 +1,55 @@
+# WWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)
+
+{{#include ../../banners/hacktricks-training.md}}
+
+## Overview
+
+An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236).
+
+## Vulnerable Code
+
+The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer:
+
+```c
+// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
+for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
+    if (i > numberOfInputChannels && buffer[i] != 0)
+        buffer[i] = 0;
+}
+```
+
+Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata.
+
+## Exploitation Steps
+
+1. **Craft malicious `.icc` profile:**
+   - Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry.
+   - In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`).
+   - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata.
+2. **Trigger parsing:**
+
+   ```bash
+   sips --verifyColor malicious.icc
+   ```
+
+3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process.
+
+## Impact
+
+Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility.
+
+## Detection
+
+- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).  
+- Inspect transferred files with signature `acsp`.  
+- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`.  
+- Flag as suspicious if this condition is met.
+
+## References
+
+- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility  
+  https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos  
+- Apple October 2024 Security Update (patch shipping CVE-2024-44236)  
+  https://support.apple.com/en-us/121564
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/binary-exploitation/array-indexing.md b/src/binary-exploitation/array-indexing.md
@@ -19,3 +19,5 @@ However he you can find some nice **examples**:
 
 
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md b/src/binary-exploitation/common-binary-protections-and-bypasses/stack-canaries/bf-forked-stack-canaries.md
@@ -122,3 +122,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca
 
 
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/binary-exploitation/ios-exploiting.md b/src/binary-exploitation/ios-exploiting.md
@@ -213,4 +213,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {
 With these primitives, the exploit provides controlled **32-bit reads** and **64-bit writes** to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/binary-exploitation/libc-heap/use-after-free/first-fit.md b/src/binary-exploitation/libc-heap/use-after-free/first-fit.md
@@ -65,3 +65,5 @@ d = malloc(20);   // a
 
 
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md b/src/macos-hardening/macos-security-and-privilege-escalation/macos-security-protections/macos-dangerous-entitlements.md
@@ -172,3 +172,5 @@ Allow the process to **ask for all the TCC permissions**.
 
 
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/mobile-pentesting/android-app-pentesting/flutter.md b/src/mobile-pentesting/android-app-pentesting/flutter.md
@@ -79,3 +79,5 @@ Flutter itself **ignores device proxy settings**. Easiest options:
 ## References
 - [https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/](https://sensepost.com/blog/2025/intercepting-https-communication-in-flutter-going-full-hardcore-mode-with-frida/)
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/1414-pentesting-ibmmq.md b/src/network-services-pentesting/1414-pentesting-ibmmq.md
@@ -363,3 +363,5 @@ CONTAINER ID   IMAGE                                COMMAND                  CRE
 
 
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/spring-actuators.md b/src/network-services-pentesting/pentesting-web/spring-actuators.md
@@ -67,3 +67,5 @@ Connection: close
 
 
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/vuejs.md b/src/network-services-pentesting/pentesting-web/vuejs.md
@@ -151,4 +151,4 @@ npm ci --ignore-scripts   # safer install
 - [https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da](https://medium.com/@isaacwangethi30/vue-js-security-6e246a7613da)
 - [https://vuejs.org/guide/best-practices/security](https://vuejs.org/guide/best-practices/security)
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md b/src/pentesting-web/file-inclusion/lfi2rce-via-nginx-temp-files.md
@@ -55,3 +55,5 @@ if **name** == "**main**": print('\[DEBUG] Creating requests session') requests\
 
 
 
+
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/pentesting-web/json-xml-yaml-hacking.md b/src/pentesting-web/json-xml-yaml-hacking.md
@@ -140,4 +140,4 @@ Result:
 | YAML: unknown keys         | `yaml.KnownFields(true)`              |
 
 
-{{#include ../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}
diff --git a/src/todo/hardware-hacking/fault_injection_attacks.md b/src/todo/hardware-hacking/fault_injection_attacks.md
@@ -8,4 +8,4 @@ There are a lot of methods and mediums for injecting fault into an electronic ci
 
 
 
-{{#include /banners/hacktricks-training.md}}
+{{#include /banners/hacktricks-training.md}}
diff --git a/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.md b/src/windows-hardening/active-directory-methodology/acl-persistence-abuse/BadSuccessor.md
@@ -66,4 +66,4 @@ Therefore, mass‑linking thousands of users lets an attacker dump hashes “at
 - [https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory](https://www.akamai.com/blog/security-research/abusing-dmsa-for-privilege-escalation-in-active-directory)
 
 
-{{#include ../../../banners/hacktricks-training.md}}
+{{#include ../../../banners/hacktricks-training.md}}
diff --git a/src/windows-hardening/lateral-movement/scmexec.md b/src/windows-hardening/lateral-movement/scmexec.md
@@ -12,4 +12,4 @@
 
 SharpMove.exe action=scm computername=remote.host.local command="C:\windows\temp\payload.exe" servicename=WindowsDebug amsi=true
 
-{{#include ../../banners/hacktricks-training.md}}
+{{#include ../../banners/hacktricks-training.md}}
diff --git a/src/windows-hardening/mythic.md b/src/windows-hardening/mythic.md
@@ -177,4 +177,4 @@ When user over linux it has some interesting commands:
 - `pty`: Open up an interactive PTY, allowing for direct interaction with the shell on the target system.
 
 
-{{#include ../banners/hacktricks-training.md}}
+{{#include ../banners/hacktricks-training.md}}

Original file line number	Diff line number	Diff line change
`@@ -99,4 +99,4 @@ print(token_ids[:50])`
`99`	`99`	`- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)`
`100`	`100`
`101`	`101`
`102`		`-{{#include /banners/hacktricks-training.md}}`
	`102`	`+{{#include /banners/hacktricks-training.md}}`
Original file line number	Diff line number	Diff line change
`@@ -241,4 +241,4 @@ tensor([[ 367, 2885, 1464, 1807],`
`241`	`241`	`- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)`
`242`	`242`
`243`	`243`
`244`		`-{{#include /banners/hacktricks-training.md}}`
	`244`	`+{{#include /banners/hacktricks-training.md}}`
Original file line number	Diff line number	Diff line change
`@@ -219,4 +219,4 @@ print(input_embeddings.shape) # torch.Size([8, 4, 256])`
`219`	`219`	`- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)`
`220`	`220`
`221`	`221`
`222`		`-{{#include /banners/hacktricks-training.md}}`
	`222`	`+{{#include /banners/hacktricks-training.md}}`
Original file line number	Diff line number	Diff line change
`@@ -702,4 +702,4 @@ print("Output length:", len(out[0]))`
`702`	`702`	`- [https://www.manning.com/books/build-a-large-language-model-from-scratch](https://www.manning.com/books/build-a-large-language-model-from-scratch)`
`703`	`703`
`704`	`704`
`705`		`-{{#include /banners/hacktricks-training.md}}`
	`705`	`+{{#include /banners/hacktricks-training.md}}`
Original file line number	Diff line number	Diff line change
`@@ -19,3 +19,5 @@ However he you can find some nice examples:`
`19`	`19`
`20`	`20`
`21`	`21`
	`22`	`+`
	`23`	`+{{#include /banners/hacktricks-training.md}}`
Original file line number	Diff line number	Diff line change
`@@ -122,3 +122,5 @@ Check also the presentation of [https://www.slideshare.net/codeblue_jp/master-ca`
`122`	`122`
`123`	`123`
`124`	`124`
	`125`	`+`
	`126`	`+{{#include /banners/hacktricks-training.md}}`
Original file line number	Diff line number	Diff line change
`@@ -213,4 +213,4 @@ void iosurface_kwrite64(uint64_t addr, uint64_t value) {`
`213`	`213`	`With these primitives, the exploit provides controlled 32-bit reads and 64-bit writes to kernel memory. Further jailbreak steps could involve more stable read/write primitives, which may require bypassing additional protections (e.g., PPL on newer arm64e devices).`
`214`	`214`
`215`	`215`
`216`		`-{{#include /banners/hacktricks-training.md}}`
	`216`	`+{{#include /banners/hacktricks-training.md}}`
Original file line number	Diff line number	Diff line change
`@@ -65,3 +65,5 @@ d = malloc(20); // a`
`65`	`65`
`66`	`66`
`67`	`67`
	`68`	`+`
	`69`	`+{{#include /banners/hacktricks-training.md}}`