macOS Vulnerability CVE-2024-44236 Allows Remote Code Execution

A security vulnerability, tracked as CVE-2024-44236, was recently patched in Apple macOS, highlighting the persistent risks posed by improper input validation in system utilities.

This remote code execution (RCE) flaw, discovered by Hossein Lotfi of the Trend Zero Day Initiative and analyzed by the Trend Micro Research Team, affects the Scriptable Image Processing System (sips) utility-a command-line tool included in macOS for manipulating ICC (International Color Consortium) Profile files and images.

Technical Overview

The vulnerability arises from an out-of-bounds write condition due to insufficient validation of the lutAToBType and lutBToAType tag types within ICC Profile files.

ICC Profiles are data sets that characterize the color properties of devices or color spaces, with a standardized file structure comprising a header, tag table, and tagged element data.

ICC Profile File Structure

• Header: Contains metadata such as profile size, device class, color space, and a signature (x61x63x73x70).
• Tag Table: Lists individual tag structures, each with a signature, offset, and data size.
• Tagged Element Data: Contains data for each tag, including the vulnerable lutAToBType (x6dx41x42x20) and lutBToAType (x6dx42x41x20) types.

The vulnerable structures include fields such as:

• Offset to CLUT (Color Look-Up Table)
• Number of input/output channels
• Offsets to curves and matrices

Vulnerability Details

The core of the vulnerability lies in the function handling these structures (notably sub_1000194D0() in sips version 307 for macOS 15.0.1).

The function reads the “Offset to CLUT” field from the tag data.

If this offset equals the total length of the tagged element data, the function proceeds to access memory up to 16 bytes past the end of the allocated buffer, resulting in a potential out-of-bounds write.

Relevant Code Snippet (Simplified for Clarity)

cCLUT_offset = v11->CLUT_offset;
_CLUT_offset = bswap32(CLUT_offset);
if (_CLUT_offset > Length)
    goto LABEL_93;
CLUT_data_ptr = &MutableBytePtr[_CLUT_offset];
number_of_input_channels = (unsigned __int8)v11->n_in_channels;
do {
    if (input_channel >= number_of_input_channels) {
        if (CLUT_data_ptr[input_channel]) {
            CLUT_data_ptr[input_channel] = 0; // Out-of-bounds write
        }
    }
    ++input_channel;
} while (input_channel != 16);

A remote attacker could exploit this vulnerability by crafting a malicious ICC Profile file and convincing a victim to process it using the vulnerable sips utility.

Successful exploitation would allow arbitrary code execution with the privileges of the running process.

Detection and Mitigation

To detect exploitation attempts, security devices should monitor file transfers over common protocols (FTP, HTTP, HTTPS, IMAP, NFS, POP3, SMB/CIFS, SMTP) for ICC Profile files. The detection logic involves:

• Parsing the file header for the profile signature (x61x63x73x70).
• Extracting tag structures and inspecting tagged element data for the vulnerable signatures.
• Checking if the “Offset to CLUT” equals the tag data size, which is indicative of a potential attack.

All integers in these structures are stored in big-endian format, which is critical for accurate parsing and detection.

Vendor Response and Recommendations

Apple addressed this vulnerability with a security patch released in October 2024. No attacks exploiting CVE-2024-44236 have been observed in the wild to date.

However, as Apple has not provided alternative mitigations, users and administrators are strongly advised to apply the latest vendor patch to ensure protection against this critical RCE flaw.

The discovery and detailed analysis of CVE-2024-44236 underscore the importance of rigorous input validation and ongoing security research in safeguarding widely used operating systems like macOS.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates

The post macOS Vulnerability CVE-2024-44236 Allows Remote Code Execution appeared first on Cyber Security News.