Zero Day Initiative | Blog
Follow
CVE-2024-44236: Remote Code Execution vulnerability in Apple macOS
A code execution vulnerability was discovered in the Apple macOS operating system, specifically in the Scriptable Image Processing System (sips) utility. The vulnerability is due to the lack of proper validation of "lutAToBType" and "lutBToAType" tag types in ICC Profile files. A remote attacker can exploit this vulnerability by enticing a victim to open a crafted file, resulting in code execution on the victim's machine in the context of the running process. The vulnerability lies in the function sub_1000194D0(), which handles the tagged element data in ICC Profile files. The function does not properly validate the "Offset to CLUT" field value, allowing an attacker to set an offset equal to the total length of the tagged element data, causing the function to read and modify memory past the end of the heap-allocated buffer. A remote attacker can exploit this vulnerability by crafting a malicious ICC Profile file and enticing the victim to process it using a vulnerable version of sips tools. To detect an attack exploiting this vulnerability, detection devices must monitor and parse traffic on specific ports and services, and inspect the contents of ICC Profile files. The detection device should verify the Profile signature field and compute the size of the Tag Table, and inspect the tagged element data for suspicious activity. Apple has patched this vulnerability, and no attacks have been detected in the wild. It is recommended to apply the vendor patch to completely address this issue.