Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX

In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.

CVE
#xss#mac#apple#c++#rce#buffer_overflow#chrome

Stack Buffer & Global Overflow Patches by @h02332 for DemoICCMax****Summary

There is a stack buffer overflow at the icFixXml function and there is a global buffer overflow in the CIccPRMG::GetChroma function.

Bug 1

There is a stack buffer overflow at the icFixXml function, which is defined in IccUtilXml.cpp at line 330. The overflow occurs on a variable named 'fix’, which is defined in IccTagXml.cpp at line 337.

Error Details:
Error Type: Stack buffer overflow.
File: IccUtilXml.cpp
Function: icFixXml
Line: 330
Variable Affected: 'fix' (defined in IccTagXml.cpp at line 337)
Memory Affected: Address 0x7ff7b129ad20

PoC

 ./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
iccToXml(12862,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.

ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b129ad20 at pc 0x00010f569ed9 bp 0x7ff7b129ab70 sp 0x7ff7b129ab68
WRITE of size 1 at 0x7ff7b129ad20 thread T0
    #0 0x10f569ed8 in icFixXml(char*, char const*) IccUtilXml.cpp:330
    #1 0x10f4ff381 in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:353
    #2 0x10f4eb22a in CIccProfileXml::ToXmlWithBlanks(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccProfileXml.cpp:264
    #3 0x10f4e632c in CIccProfileXml::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:79
    #4 0x10ec6821f in main IccToXml.cpp:38
    #5 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)

Address 0x7ff7b129ad20 is located in stack of thread T0 at offset 288 in frame
    #0 0x10f4fed5f in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:336

  This frame has 7 object(s):
    [32, 288) 'fix' (line 337) <== Memory access at offset 288 overflows this variable
    [352, 608) 'buf' (line 338)
    [672, 928) 'data' (line 339)
    [992, 1016) 'datastr' (line 340)
    [1056, 1080) 'agg.tmp'
    [1120, 1144) 'ref.tmp' (line 351)
    [1184, 1208) 'ref.tmp45' (line 360)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
      (longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow IccUtilXml.cpp:330 in icFixXml(char*, char const*)
Shadow bytes around the buggy address:
  0x7ff7b129aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ff7b129ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ff7b129ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ff7b129ac00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ff7b129ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ff7b129ad00: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
  0x7ff7b129ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ff7b129ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
  0x7ff7b129ae80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ff7b129af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x7ff7b129af80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2

Expected Output

./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
XML successfully created

Bug 2

There is a global buffer overflow, that can potentially be exploited to execute arbitrary code or lead to undefined behavior.

Error Details:
Error Type: Global buffer overflow.
File: IccPrmg.cpp
Function: CIccPRMG::GetChroma
Line: 163
Affected Variable: 'icPRMG_Chroma' defined in IccPrmg.cpp
Memory Affected: Address 0x000103847bf0

PoC

./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
iccRoundTrip(12888,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==12888==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103847bf0 at pc 0x00010365ce45 bp 0x7ff7bd5f1a80 sp 0x7ff7bd5f1a78
READ of size 4 at 0x000103847bf0 thread T0
    #0 0x10365ce44 in CIccPRMG::GetChroma(float, float) IccPrmg.cpp:163
    #1 0x10365cefd in CIccPRMG::InGamut(float, float, float) IccPrmg.cpp:170
    #2 0x10365d151 in CIccPRMG::InGamut(float*) IccPrmg.cpp:183
    #3 0x10365de40 in CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:240
    #4 0x10365ea4e in CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:288
    #5 0x102913176 in main iccRoundTrip.cpp:177
    #6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)

0x000103847bf0 is located 0 bytes after global variable 'icPRMG_Chroma' defined in '/Users/xss/Downloads/DemoIccMAX-master/IccProfLib/IccPrmg.cpp' (0x103847060) of size 2960
SUMMARY: AddressSanitizer: global-buffer-overflow IccPrmg.cpp:163 in CIccPRMG::GetChroma(float, float)
Shadow bytes around the buggy address:
  0x000103847900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000103847980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000103847a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000103847a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x000103847b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000103847b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
  0x000103847c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000103847c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000103847d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000103847d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
  0x000103847e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9

Expected Output

./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
iccRoundTrip(29379,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
Profile:          '/Users/xss/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc'
Rendering Intent: Relative Colorimetric
Specified Gamut:  Not Specified

Round Trip 1
------------
Min DeltaE:        0.00
Mean DeltaE:       1.46
Max DeltaE:        7.05

Max L, a, b:   32.481213, 7.808893, 7.558380

Round Trip 2
------------
Min DeltaE:        0.00
Mean DeltaE:       0.64
Max DeltaE:        2.81

Max L, a, b:   39.559242, 7.503039, -29.157310

PRMG Interoperability - Round Trip Results
------------------------------------------------------
DE <= 1.0 (   25388):  12.6%
DE <= 2.0 (   33627):  16.7%
DE <= 3.0 (   36466):  18.1%
DE <= 5.0 (   42342):  21.0%
DE <=10.0 (   58679):  29.1%
Total     (  201613)

Build

cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer -Wall -std=c++17" ../Build/Cmake
make

Testing****OS

ProductName:        macOS
ProductVersion:     14.0
BuildVersion:       23A344

Platform****Data

Various inputs from CVE-2022-26730 and CVE-2023-32443 were used as PoC’s

Crash Reports****icFixXml(char*, char const*) + 410

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_BAD_ACCESS (SIGSEGV)
Exception Codes:       KERN_INVALID_ADDRESS at 0x00007ff7b34d7000
Exception Codes:       0x0000000000000001, 0x00007ff7b34d7000

Termination Reason:    Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process:   exc handler [9557]

VM Region Info: 0x7ff7b34d7000 is not in any region.  Bytes after previous region: 1  Bytes before following region: 1519771648
      REGION TYPE                    START - END         [ VSIZE] PRT/MAX SHRMOD  REGION DETAIL
      Stack                    7ff7b2cd7000-7ff7b34d7000 [ 8192K] rw-/rwx SM=SHM  thread 0
--->  GAP OF 0x5a95e000 BYTES
      unused __TEXT            7ff80de35000-7ff80de9d000 [  416K] r-x/r-x SM=COW  ...ed lib __TEXT

Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   iccToXml                               0x10cadb4fa icFixXml(char*, char const*) + 410
1   iccToXml                               0x10ca90027 CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) + 1431
2   ???                             0x6161616161616161 ???


Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x00007ff7b34d7000  rbx: 0x000000010d301bf0  rcx: 0x0000000000000061  rdx: 0x00007ff7b34d7001
  rdi: 0x00007ff7b34d6e62  rsi: 0x00007ff7b34d6e68  rbp: 0x00007ff7b34d4310  rsp: 0x00007ff7b34d42b0
   r8: 0x0000000000000006   r9: 0x0000000000000000  r10: 0x000000000000000d  r11: 0x00007ff6a68674fd
  r12: 0x00007ff7b34d6600  r13: 0x0000000000000000  r14: 0x000000010ca2b650  r15: 0x00007ff7b34d6780
  rip: 0x000000010cadb4fa  rfl: 0x0000000000010202  cr2: 0x00007ff7b34d7000
  
Logical CPU:     0
Error Code:      0x00000006 (no mapping for user data write)
Trap Number:     14

Thread 0 instruction stream:
  44 19 00 e8 42 52 17 00-48 8b 75 e8 48 81 c6 04  D...BR..H.u.H...
  00 00 00 48 89 75 e8 48-89 45 a8 e9 42 00 00 00  ...H.u.H.E..B...
  48 8b 7d e8 48 8d 35 ac-44 19 00 e8 1a 52 17 00  H.}.H.5.D....R..
  48 8b 75 e8 48 81 c6 04-00 00 00 48 89 75 e8 48  H.u.H......H.u.H
  89 45 a0 e9 1a 00 00 00-48 8b 45 f0 8a 08 48 8b  .E......H.E...H.
  45 e8 48 89 c2 48 81 c2-01 00 00 00 48 89 55 e8  E.H..H......H.U.
 [88]08 48 8b 45 f0 48 05-01 00 00 00 48 89 45 f0  ..H.E.H.....H.E. <==
  e9 69 fe ff ff 48 8b 45-e8 c6 00 00 48 8b 45 f8  .i...H.E....H.E.
  48 83 c4 60 5d c3 55 48-89 e5 48 83 ec 20 48 89  H..`].UH..H.. H.
  7d f8 48 89 75 f0 89 55-ec 48 8b 7d f8 48 8b 75  }.H.u..U.H.}.H.u
  f0 48 63 55 ec e8 ac f0-ff ff 48 8b 7d f8 88 45  .HcU......H.}..E
  eb e8 76 33 17 00 48 83-c4 20 5d c3 66 2e 0f 1f  ..v3..H.. ].f...

CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)

Crashed Thread:        0  Dispatch queue: com.apple.main-thread

Exception Type:        EXC_CRASH (SIGABRT)
Exception Codes:       0x0000000000000000, 0x0000000000000000

Termination Reason:    Namespace SIGNAL, Code 6 Abort trap: 6
Terminating Process:   iccRoundTrip [12888]

Application Specific Information:
abort() called


Thread 0 Crashed::  Dispatch queue: com.apple.main-thread
0   libsystem_kernel.dylib              0x7ff80e2357a6 __pthread_kill + 10
1   libsystem_pthread.dylib             0x7ff80e26df30 pthread_kill + 262
2   libsystem_c.dylib                   0x7ff80e18ca4d abort + 126
3   libclang_rt.asan_osx_dynamic.dylib         0x103b39516 __sanitizer::Abort() + 70
4   libclang_rt.asan_osx_dynamic.dylib         0x103b38c74 __sanitizer::Die() + 196
5   libclang_rt.asan_osx_dynamic.dylib         0x103b1cf2a __asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
6   libclang_rt.asan_osx_dynamic.dylib         0x103b1c1dd __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
7   libclang_rt.asan_osx_dynamic.dylib         0x103b1d448 __asan_report_load4 + 40
8   libIccProfLib2.2.1.15.dylib            0x10365ce45 CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
9   libIccProfLib2.2.1.15.dylib            0x10365cefe CIccPRMG::InGamut(float, float, float) + 46 (IccPrmg.cpp:170)
10  libIccProfLib2.2.1.15.dylib            0x10365d152 CIccPRMG::InGamut(float*) + 498 (IccPrmg.cpp:183)
11  libIccProfLib2.2.1.15.dylib            0x10365de41 CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) + 3169 (IccPrmg.cpp:240)
12  libIccProfLib2.2.1.15.dylib            0x10365ea4f CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) + 111 (IccPrmg.cpp:288)
13  iccRoundTrip                           0x102913177 main + 1063 (iccRoundTrip.cpp:177)
14  dyld                                0x7ff80dee53a6 start + 1942


Thread 0 crashed with X86 Thread State (64-bit):
  rax: 0x0000000000000000  rbx: 0x0000000000000006  rcx: 0x00007ff7bd5f0ce8  rdx: 0x0000000000000000
  rdi: 0x0000000000000103  rsi: 0x0000000000000006  rbp: 0x00007ff7bd5f0d10  rsp: 0x00007ff7bd5f0ce8
   r8: 0x00001ffef7abe1a0   r9: 0x0000000000000000  r10: 0x0000000000000000  r11: 0x0000000000000246
  r12: 0x0000000000000103  r13: 0x2000000000000000  r14: 0x00007ff851846e80  r15: 0x0000000000000016
  rip: 0x00007ff80e2357a6  rfl: 0x0000000000000246  cr2: 0x0000000103ac44b0
  
Logical CPU:     0
Error Code:      0x02000148 
Trap Number:     133


Binary Images:
       0x1034bb000 -        0x103836fff libIccProfLib2.2.1.15.dylib (*) <f2dc6eae-a665-30af-bc63-7f6b8c876dad> /Users/USER/Downloads/*/libIccProfLib2.2.1.15.dylib
       0x103a37000 -        0x103b66fff libclang_rt.asan_osx_dynamic.dylib (*) <b5a35b2f-2e39-33dc-88c4-cd4db0ffc80b> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/15.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
       0x10290d000 -        0x102914fff iccRoundTrip (*) <a4db0180-b77f-39cc-bc80-71c3e8b6bbb3> /Users/USER/Downloads/*/iccRoundTrip
    0x7ff80e22d000 -     0x7ff80e267ff7 libsystem_kernel.dylib (*) <3690c1fc-599f-39ff-bbdb-85422e9a996c> /usr/lib/system/libsystem_kernel.dylib
    0x7ff80e268000 -     0x7ff80e273fff libsystem_pthread.dylib (*) <33c43114-85f0-3f32-86d7-8e6a2403d38c> /usr/lib/system/libsystem_pthread.dylib
    0x7ff80e10d000 -     0x7ff80e194fff libsystem_c.dylib (*) <3e9a5bfa-50c0-3a96-9291-4826c62d1182> /usr/lib/system/libsystem_c.dylib
    0x7ff80dedf000 -     0x7ff80df7b2ff dyld (*) <1289b60a-4980-342d-b1a4-250bbee392f1> /usr/lib/dyld
               0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???

Caveat: Opening Malicious ICC Color Profiles may result in Remote Code Execution in the context of the User

Related news

CVE-2023-46867: Bugs from Fuzzing · Issue #54 · InternationalColorConsortium/DemoIccMAX

In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.

CVE-2023-40440: About the security content of macOS Monterey 12.6.8

This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.

CVE-2023-36854: About the security content of macOS Big Sur 11.7.9

The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.

CVE-2023-38410: About the security content of macOS Ventura 13.5

The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.

Apple Security Advisory 2023-07-24-6

Apple Security Advisory 2023-07-24-6 - macOS Big Sur 11.7.9 addresses code execution, out of bounds read, and use-after-free vulnerabilities.

Apple Security Advisory 2023-07-24-5

Apple Security Advisory 2023-07-24-5 - macOS Monterey 12.6.8 addresses code execution, out of bounds read, and use-after-free vulnerabilities.

Apple Security Advisory 2023-07-24-4

Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.

CVE-2022-26730: About the security content of macOS Ventura 13

A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907