CVE-2022-26730 | ColorSync | Hoyt LLC

CVE-2022-26730 | A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.
>> Home » Blog » CVE-2022-26730 | ColorSync | Hoyt LLC

Estimated reading time: 4 minutes

Executive Summary

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

Patch Available for: Mac Studio (2022), Mac Pro (2019 and later), MacBook Air (2018 and later), MacBook Pro (2017 and later), Mac mini (2018 and later), iMac (2017 and later), MacBook (2017), and iMac Pro (2017).

A memory corruption issue existed in the processing of ICC profiles

https://support.apple.com/en-us/HT213488

Prior Art

Google Project Zero identified an out-of-bounds reads due to integer overflows in curve table initialization issue detailed in P0-2226 as CVE-2021-30942.

The issue described in this report was found in the CMMLutTag::InitializeCurveTable method, as called by CMMLutTag::CMMLutTag during the initialization of A2B0/B2A0 tags of type mAB/mBA. The curve table consists of a number of curves of type ‘para’ (parametricCurveType) or ‘curv’ (curveType). The latter is represented in the color profile with the following structures (copied from https://www.color.org/icProfileHeader.h):

https://bugs.chromium.org/p/project-zero/issues/detail?id=2226

CVE-2022-26730

Overview

Found via PoC Replay of P0-2226 and disassembly of Patch for CVE-2021-30942

  • Keywords: ICC Color Profile, User Controllable Input, Input Validation, Mac, PoC
  • Operating System: macOS 12
  • Vendor Notification: March 2022
  • Vendor Resolution: October 2022
  • Vendor Fix: This issue was addressed with improved input validation by Apple
  • Vendor Source: https://support.apple.com/en-us/HT213488
  • Published: 10/31/2022
  • (Data Abort) byte read Translation fault
  • Bug Type == Incomplete Fix

CVE-2022-26730 curveType

Title: CVE-2022-26730
Description: A memory corruption issue existed in the processing of ICC profiles of macOS 12
Keywords: ICC Color Profile, User Controllable Input, Input Validation, Mac, PoC
Author: David Hoyt of Hoyt LLC
Operating System: macOS 12
Vendor Notification: March 2022
Vendor Resolution: October 2022
Vendor Fix: This issue was addressed with improved input validation by Apple
Vendor Source: https://support.apple.com/en-us/HT213488

As Google wrote “curveType is represented in the color profile as defined in https://www.color.org/icProfileHeader.h” such as ToA0Tag, AToB0Tag, A2B2, A2B1 and other Tags and Sizes which are easy to Fuzz programmatically.

ColorSync ICC Profile

Graphical View of a PoC ICC Color Profile for CVE-2022-26730 detailing the curveParameters using Colorsync:

The curveType is represented in the color profile as defined in https://www.color.org/icProfileHeader.h such as ToA0Tag, AToB0Tag, A2B2, A2B1 and other Tags and Sizes.

The issue described in this report was found in the CMMLutTag::InitializeCurveTable method, as called by CMMLutTag::CMMLutTag within the Multi-localized Strings Code. The Data Elements are Sources of User Controllable Input [UCI].

CVE-2022-26730
CMMLutTag::InitializeCurveTable(CMMLutTag::CMMCurveTable&, CMMMemMgr&, unsigned int, unsigned int, CMMTagDataAccess*, unsigned int*)  (in ColorSync)

A Tainted Source of UCI flowed into a Sink demonstrating CVE-2022-26730 was a memory corruption issue that existed in the processing of ICC profiles and that processing a maliciously crafted image may lead to arbitrary code execution.

Functional PoC’s for CVE-2022-26730 may be released at a future point in time due to the lack of protection for consumers not using macOS 13 and the availability of Prior Art to begin Exploit Development.

The Public Domain PoC Released today is a hand rolled ICC to Crash ColorSync [macOS 12] on a Null Byte Read at URL https://xss.cx/2022/11/05/icc/Crash-CoreFoundation-CFDataGetLength-ColorSync-Crash-PoC-hand-crafted-to-hit-null-page-0x00-public-domain.icc.zip

X86_64 & arm64e Crash Reports
CVE-2022-27630 ICC Color Profile Arbitrary Data Read macOS 12 curv parameters
CVE-2022-27630 ICC Color Profile Arbitrary Data Read macOS 12 curv parameters

CVE-2022-26730 Targets

  • (1) ColorSync, Safari, Finder, Instruments and other Applications consuming ICC Profiles or Graphics Files with embedded ICC Profile on macOS 12
  • (2) Apple Developer Instruments programs had additional memory corruption issues addressed in macOS 13 as a Result of Feedback Reports: 21E258 | 13E113 | Instruments | Crash | .icc | ColorSync | PoC | OE089308559899 | FB9970176 | FB9970191 | FB9971897

CVE-2022-26730 PNG Fuzzing Exploit Container

CVE-2022-26730 Attack Styles

WateringHole, SpearPhishing, EmailBomb, Cross Site Scripting, Other

CVE-2022-26730 Use Case

Case #1: Attacker hand rolls an ICC Color Profile named bad.icc then Embedded in good.png and Campaigned

Case #2 Attacker crafts HTML File with Reference to the Malicious ICC or Graphics Picture and Campaigned

CVE-2022-26730 HTML Exploit Delivery Container

PoC Download

@media color-gamut: p2{
  @color-profile{ name: p3; src: url(hxxps://xss.cx/..path.part../icc/cve-2022-26730-arbitrary-code-execution-user-controllable-input-poc-1.icc); }

Reporter CVSS v3.1 Vector Pro Forma for HTML Exploit Delivery: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:H/MI:H/MA:H

  • CVSS 3.1 Base Score: 8.8
  • Impact Subscore: 5.9
  • Exploitability Subscore: 2.8
  • CVSS Temporal Score: 8.4
  • CVSS Environmental Score: 8.0
  • Modified Impact Subscore: 6.1
  • Overall CVSS 3.1 Score: 8.0

Crash Reports

Knowledgebase

https://bugs.chromium.org/p/project-zero/issues/detail?id=2226

Issue 2226: Apple ColorSync: out-of-bounds reads due to integer overflows in curve table initialization

https://bugs.chromium.org/p/project-zero/issues/detail?id=2225

Issue 2225: Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26730

https://nvd.nist.gov/vuln/detail/CVE-2022-26730

%d bloggers like this: