Researchers Uncover Remote Code Execution Flaw in macOS – CVE-2024-44236

Security researchers Nikolai Skliarenko and Yazhi Wang of Trend Micro’s Research Team have disclosed critical details about CVE-2024-44236, a memory corruption vulnerability in Apple’s macOS Scriptable Image Processing System (sips).

Discovered by Hossein Lotfi through Trend Micro’s Zero Day Initiative, this flaw allows arbitrary code execution via maliciously crafted ICC profile files.

Patched in October 2024, the vulnerability highlights systemic risks in color management utilities widely used across Apple’s ecosystem.

- Advertisement -

The vulnerability stems from improper validation of lutAToBType and lutBToAType tags within International Color Consortium (ICC) profile files.

These standardized data structures, used to ensure color consistency across devices, contain a header, tag table, and tagged element data.

Attackers can exploit the sips command-line tool-preinstalled on all macOS systems-by submitting a malformed ICC profile that triggers an out-of-bounds (OOB) write in heap memory.

According to Trend Micro’s analysis, the flaw resides in how the sub_1000194D0() function processes the Offset to CLUT field within lutA/B tags.

When this offset equals the total length of the tagged element data, the function erroneously writes up to 16 bytes beyond the allocated buffer边界.

This corruption can overwrite adjacent memory structures, potentially hijacking control flow to execute attacker-supplied code.

“The lack of bounds checking on CLUT offset values creates a trivial path for memory manipulation,” the researchers noted.

“A single malformed ICC profile could compromise systems through common workflows like image previews or automated processing services.”

Exploiting Color Lookup Table Offsets

ICC profiles use color lookup tables (CLUTs) to map input color channels to output values. The vulnerability triggers during CLUT validation in the following sequence:

1. Tag Parsing: The sips tool extracts the CLUT_offset value from the lutA/B tag header.
2. Boundary Check Failure: The function converts CLUT_offset from big-endian format but fails to validate if the offset exceeds the buffer size.
3. OOB Access: If _CLUT_offset equals the buffer length (Length), the pointer CLUT_data_ptr references memory outside the allocated space.
4. Forced Nullification: The loop at sub_1000194D0() iterates 16 times, nullifying bytes at CLUT_data_ptr[input_channel] when input_channel exceeds the declared number of input channels.

c// Vulnerable code snippet from sips-307  
CLUT_offset = bswap32(v11->CLUT_offset);  
if (_CLUT_offset > Length) goto LABEL_93;  
CLUT_data_ptr = &MutableBytePtr[_CLUT_offset];  // Points beyond buffer if _CLUT_offset == Length  
...  
if (input_channel >= number_of_input_channels) {  
    if (CLUT_data_ptr[input_channel]) {  
        CLUT_data_ptr[input_channel] = 0;  // OOB write  
    }  
}  

This code permits attackers to alter memory beyond the ICC profile buffer, potentially modifying function pointers or object metadata.

Subsequent operations, such as rendering the manipulated CLUT, could then execute injected shellcode or trigger application crashes.

Detection and Mitigation Strategies

Trend Micro’s report outlines network-based detection methods for organizations monitoring macOS environments. Suspicious ICC profiles exhibit these characteristics:

• Header Signature: Valid profiles must contain the 4-byte sequence \x61\x63\x73\x70 at offset 0x24.
• CLUT Offset Validation: Detection systems should flag files where the Offset to CLUT equals the Tag data size in lutA/B tags.
• Protocol Monitoring: Inspect ICC profiles transferred via HTTP(S), SMB, email protocols (SMTP/POP3/IMAP), and file-sharing services.

Apple addressed the flaw in macOS 15.0.1 updates, but unpatched systems remain vulnerable to drive-by attacks via weaponized images or documents.

“While no in-the-wild exploits have been observed, the simplicity of exploitation necessitates immediate patching,” the researchers warned. Enterprises should:

• Deploy network intrusion systems to block ICC profiles with invalid CLUT offsets.
• Audit workflows relying on sips for batch image processing.
• Segment macOS devices handling untrusted image files until updates are applied.

This disclosure underscores the risks of under-secured image parsing tools-a frequent attack surface in modern operating systems.

As color management grows more complex with HDR and wide-gamut displays, rigorous validation of graphic subsystems becomes critical to preventing memory corruption exploits.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download