Headline
CVE-2023-46603: Patches for stack buffer overflow at the icFixXml and global buffer overflow in the CIccPRMG::GetChroma functions by xsscx · Pull Request #53 · InternationalColorConsortium/DemoIccMAX
In International Color Consortium DemoIccMAX 79ecb74, there is an out-of-bounds read in the CIccPRMG::GetChroma function in IccProfLib/IccPrmg.cpp in libSampleICC.a.
Stack Buffer & Global Overflow Patches by @h02332 for DemoICCMax****Summary
There is a stack buffer overflow at the icFixXml function and there is a global buffer overflow in the CIccPRMG::GetChroma function.
Bug 1
There is a stack buffer overflow at the icFixXml function, which is defined in IccUtilXml.cpp at line 330. The overflow occurs on a variable named 'fix’, which is defined in IccTagXml.cpp at line 337.
Error Details:
Error Type: Stack buffer overflow.
File: IccUtilXml.cpp
Function: icFixXml
Line: 330
Variable Affected: 'fix' (defined in IccTagXml.cpp at line 337)
Memory Affected: Address 0x7ff7b129ad20
PoC
./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
iccToXml(12862,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ff7b129ad20 at pc 0x00010f569ed9 bp 0x7ff7b129ab70 sp 0x7ff7b129ab68
WRITE of size 1 at 0x7ff7b129ad20 thread T0
#0 0x10f569ed8 in icFixXml(char*, char const*) IccUtilXml.cpp:330
#1 0x10f4ff381 in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:353
#2 0x10f4eb22a in CIccProfileXml::ToXmlWithBlanks(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccProfileXml.cpp:264
#3 0x10f4e632c in CIccProfileXml::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&) IccProfileXml.cpp:79
#4 0x10ec6821f in main IccToXml.cpp:38
#5 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
Address 0x7ff7b129ad20 is located in stack of thread T0 at offset 288 in frame
#0 0x10f4fed5f in CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) IccTagXml.cpp:336
This frame has 7 object(s):
[32, 288) 'fix' (line 337) <== Memory access at offset 288 overflows this variable
[352, 608) 'buf' (line 338)
[672, 928) 'data' (line 339)
[992, 1016) 'datastr' (line 340)
[1056, 1080) 'agg.tmp'
[1120, 1144) 'ref.tmp' (line 351)
[1184, 1208) 'ref.tmp45' (line 360)
HINT: this may be a false positive if your program uses some custom stack unwind mechanism, swapcontext or vfork
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow IccUtilXml.cpp:330 in icFixXml(char*, char const*)
Shadow bytes around the buggy address:
0x7ff7b129aa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b129ab00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b129ab80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b129ac00: f1 f1 f1 f1 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b129ac80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x7ff7b129ad00: 00 00 00 00[f2]f2 f2 f2 f2 f2 f2 f2 00 00 00 00
0x7ff7b129ad80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b129ae00: 00 00 00 00 00 00 00 00 00 00 00 00 f2 f2 f2 f2
0x7ff7b129ae80: f2 f2 f2 f2 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b129af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x7ff7b129af80: 00 00 00 00 f2 f2 f2 f2 f2 f2 f2 f2 00 00 00 f2
Expected Output
./iccToXml ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc new.xml
XML successfully created
Bug 2
There is a global buffer overflow, that can potentially be exploited to execute arbitrary code or lead to undefined behavior.
Error Details:
Error Type: Global buffer overflow.
File: IccPrmg.cpp
Function: CIccPRMG::GetChroma
Line: 163
Affected Variable: 'icPRMG_Chroma' defined in IccPrmg.cpp
Memory Affected: Address 0x000103847bf0
PoC
./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
iccRoundTrip(12888,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
=================================================================
==12888==ERROR: AddressSanitizer: global-buffer-overflow on address 0x000103847bf0 at pc 0x00010365ce45 bp 0x7ff7bd5f1a80 sp 0x7ff7bd5f1a78
READ of size 4 at 0x000103847bf0 thread T0
#0 0x10365ce44 in CIccPRMG::GetChroma(float, float) IccPrmg.cpp:163
#1 0x10365cefd in CIccPRMG::InGamut(float, float, float) IccPrmg.cpp:170
#2 0x10365d151 in CIccPRMG::InGamut(float*) IccPrmg.cpp:183
#3 0x10365de40 in CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:240
#4 0x10365ea4e in CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) IccPrmg.cpp:288
#5 0x102913176 in main iccRoundTrip.cpp:177
#6 0x7ff80dee53a5 in start+0x795 (dyld:x86_64+0xfffffffffff5c3a5)
0x000103847bf0 is located 0 bytes after global variable 'icPRMG_Chroma' defined in '/Users/xss/Downloads/DemoIccMAX-master/IccProfLib/IccPrmg.cpp' (0x103847060) of size 2960
SUMMARY: AddressSanitizer: global-buffer-overflow IccPrmg.cpp:163 in CIccPRMG::GetChroma(float, float)
Shadow bytes around the buggy address:
0x000103847900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000103847980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000103847a00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000103847a80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x000103847b00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x000103847b80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00[f9]f9
0x000103847c00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000103847c80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000103847d00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000103847d80: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
0x000103847e00: f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9 f9
Expected Output
./iccRoundTrip ~/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc
iccRoundTrip(29379,0x7ff851846e80) malloc: nano zone abandoned due to inability to reserve vm space.
Profile: '/Users/xss/Documents/colorsync-0x10ef92785-0x10ef8f000-hoyt-03172023-baseline-poc-003333.icc'
Rendering Intent: Relative Colorimetric
Specified Gamut: Not Specified
Round Trip 1
------------
Min DeltaE: 0.00
Mean DeltaE: 1.46
Max DeltaE: 7.05
Max L, a, b: 32.481213, 7.808893, 7.558380
Round Trip 2
------------
Min DeltaE: 0.00
Mean DeltaE: 0.64
Max DeltaE: 2.81
Max L, a, b: 39.559242, 7.503039, -29.157310
PRMG Interoperability - Round Trip Results
------------------------------------------------------
DE <= 1.0 ( 25388): 12.6%
DE <= 2.0 ( 33627): 16.7%
DE <= 3.0 ( 36466): 18.1%
DE <= 5.0 ( 42342): 21.0%
DE <=10.0 ( 58679): 29.1%
Total ( 201613)
Build
cmake -DCMAKE_INSTALL_PREFIX=$HOME/.local -DCMAKE_BUILD_TYPE=Debug -DCMAKE_CXX_FLAGS="-g -fsanitize=address -fno-omit-frame-pointer -Wall -std=c++17" ../Build/Cmake
make
Testing****OS
ProductName: macOS
ProductVersion: 14.0
BuildVersion: 23A344
Platform****Data
Various inputs from CVE-2022-26730 and CVE-2023-32443 were used as PoC’s
Crash Reports****icFixXml(char*, char const*) + 410
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_BAD_ACCESS (SIGSEGV)
Exception Codes: KERN_INVALID_ADDRESS at 0x00007ff7b34d7000
Exception Codes: 0x0000000000000001, 0x00007ff7b34d7000
Termination Reason: Namespace SIGNAL, Code 11 Segmentation fault: 11
Terminating Process: exc handler [9557]
VM Region Info: 0x7ff7b34d7000 is not in any region. Bytes after previous region: 1 Bytes before following region: 1519771648
REGION TYPE START - END [ VSIZE] PRT/MAX SHRMOD REGION DETAIL
Stack 7ff7b2cd7000-7ff7b34d7000 [ 8192K] rw-/rwx SM=SHM thread 0
---> GAP OF 0x5a95e000 BYTES
unused __TEXT 7ff80de35000-7ff80de9d000 [ 416K] r-x/r-x SM=COW ...ed lib __TEXT
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 iccToXml 0x10cadb4fa icFixXml(char*, char const*) + 410
1 iccToXml 0x10ca90027 CIccTagXmlTextDescription::ToXml(std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>&, std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char>>) + 1431
2 ??? 0x6161616161616161 ???
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x00007ff7b34d7000 rbx: 0x000000010d301bf0 rcx: 0x0000000000000061 rdx: 0x00007ff7b34d7001
rdi: 0x00007ff7b34d6e62 rsi: 0x00007ff7b34d6e68 rbp: 0x00007ff7b34d4310 rsp: 0x00007ff7b34d42b0
r8: 0x0000000000000006 r9: 0x0000000000000000 r10: 0x000000000000000d r11: 0x00007ff6a68674fd
r12: 0x00007ff7b34d6600 r13: 0x0000000000000000 r14: 0x000000010ca2b650 r15: 0x00007ff7b34d6780
rip: 0x000000010cadb4fa rfl: 0x0000000000010202 cr2: 0x00007ff7b34d7000
Logical CPU: 0
Error Code: 0x00000006 (no mapping for user data write)
Trap Number: 14
Thread 0 instruction stream:
44 19 00 e8 42 52 17 00-48 8b 75 e8 48 81 c6 04 D...BR..H.u.H...
00 00 00 48 89 75 e8 48-89 45 a8 e9 42 00 00 00 ...H.u.H.E..B...
48 8b 7d e8 48 8d 35 ac-44 19 00 e8 1a 52 17 00 H.}.H.5.D....R..
48 8b 75 e8 48 81 c6 04-00 00 00 48 89 75 e8 48 H.u.H......H.u.H
89 45 a0 e9 1a 00 00 00-48 8b 45 f0 8a 08 48 8b .E......H.E...H.
45 e8 48 89 c2 48 81 c2-01 00 00 00 48 89 55 e8 E.H..H......H.U.
[88]08 48 8b 45 f0 48 05-01 00 00 00 48 89 45 f0 ..H.E.H.....H.E. <==
e9 69 fe ff ff 48 8b 45-e8 c6 00 00 48 8b 45 f8 .i...H.E....H.E.
48 83 c4 60 5d c3 55 48-89 e5 48 83 ec 20 48 89 H..`].UH..H.. H.
7d f8 48 89 75 f0 89 55-ec 48 8b 7d f8 48 8b 75 }.H.u..U.H.}.H.u
f0 48 63 55 ec e8 ac f0-ff ff 48 8b 7d f8 88 45 .HcU......H.}..E
eb e8 76 33 17 00 48 83-c4 20 5d c3 66 2e 0f 1f ..v3..H.. ].f...
CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
Crashed Thread: 0 Dispatch queue: com.apple.main-thread
Exception Type: EXC_CRASH (SIGABRT)
Exception Codes: 0x0000000000000000, 0x0000000000000000
Termination Reason: Namespace SIGNAL, Code 6 Abort trap: 6
Terminating Process: iccRoundTrip [12888]
Application Specific Information:
abort() called
Thread 0 Crashed:: Dispatch queue: com.apple.main-thread
0 libsystem_kernel.dylib 0x7ff80e2357a6 __pthread_kill + 10
1 libsystem_pthread.dylib 0x7ff80e26df30 pthread_kill + 262
2 libsystem_c.dylib 0x7ff80e18ca4d abort + 126
3 libclang_rt.asan_osx_dynamic.dylib 0x103b39516 __sanitizer::Abort() + 70
4 libclang_rt.asan_osx_dynamic.dylib 0x103b38c74 __sanitizer::Die() + 196
5 libclang_rt.asan_osx_dynamic.dylib 0x103b1cf2a __asan::ScopedInErrorReport::~ScopedInErrorReport() + 1178
6 libclang_rt.asan_osx_dynamic.dylib 0x103b1c1dd __asan::ReportGenericError(unsigned long, unsigned long, unsigned long, unsigned long, bool, unsigned long, unsigned int, bool) + 1773
7 libclang_rt.asan_osx_dynamic.dylib 0x103b1d448 __asan_report_load4 + 40
8 libIccProfLib2.2.1.15.dylib 0x10365ce45 CIccPRMG::GetChroma(float, float) + 1093 (IccPrmg.cpp:163)
9 libIccProfLib2.2.1.15.dylib 0x10365cefe CIccPRMG::InGamut(float, float, float) + 46 (IccPrmg.cpp:170)
10 libIccProfLib2.2.1.15.dylib 0x10365d152 CIccPRMG::InGamut(float*) + 498 (IccPrmg.cpp:183)
11 libIccProfLib2.2.1.15.dylib 0x10365de41 CIccPRMG::EvaluateProfile(CIccProfile*, icRenderingIntent, icXformInterp, bool) + 3169 (IccPrmg.cpp:240)
12 libIccProfLib2.2.1.15.dylib 0x10365ea4f CIccPRMG::EvaluateProfile(char const*, icRenderingIntent, icXformInterp, bool) + 111 (IccPrmg.cpp:288)
13 iccRoundTrip 0x102913177 main + 1063 (iccRoundTrip.cpp:177)
14 dyld 0x7ff80dee53a6 start + 1942
Thread 0 crashed with X86 Thread State (64-bit):
rax: 0x0000000000000000 rbx: 0x0000000000000006 rcx: 0x00007ff7bd5f0ce8 rdx: 0x0000000000000000
rdi: 0x0000000000000103 rsi: 0x0000000000000006 rbp: 0x00007ff7bd5f0d10 rsp: 0x00007ff7bd5f0ce8
r8: 0x00001ffef7abe1a0 r9: 0x0000000000000000 r10: 0x0000000000000000 r11: 0x0000000000000246
r12: 0x0000000000000103 r13: 0x2000000000000000 r14: 0x00007ff851846e80 r15: 0x0000000000000016
rip: 0x00007ff80e2357a6 rfl: 0x0000000000000246 cr2: 0x0000000103ac44b0
Logical CPU: 0
Error Code: 0x02000148
Trap Number: 133
Binary Images:
0x1034bb000 - 0x103836fff libIccProfLib2.2.1.15.dylib (*) <f2dc6eae-a665-30af-bc63-7f6b8c876dad> /Users/USER/Downloads/*/libIccProfLib2.2.1.15.dylib
0x103a37000 - 0x103b66fff libclang_rt.asan_osx_dynamic.dylib (*) <b5a35b2f-2e39-33dc-88c4-cd4db0ffc80b> /Applications/Xcode.app/Contents/Developer/Toolchains/XcodeDefault.xctoolchain/usr/lib/clang/15.0.0/lib/darwin/libclang_rt.asan_osx_dynamic.dylib
0x10290d000 - 0x102914fff iccRoundTrip (*) <a4db0180-b77f-39cc-bc80-71c3e8b6bbb3> /Users/USER/Downloads/*/iccRoundTrip
0x7ff80e22d000 - 0x7ff80e267ff7 libsystem_kernel.dylib (*) <3690c1fc-599f-39ff-bbdb-85422e9a996c> /usr/lib/system/libsystem_kernel.dylib
0x7ff80e268000 - 0x7ff80e273fff libsystem_pthread.dylib (*) <33c43114-85f0-3f32-86d7-8e6a2403d38c> /usr/lib/system/libsystem_pthread.dylib
0x7ff80e10d000 - 0x7ff80e194fff libsystem_c.dylib (*) <3e9a5bfa-50c0-3a96-9291-4826c62d1182> /usr/lib/system/libsystem_c.dylib
0x7ff80dedf000 - 0x7ff80df7b2ff dyld (*) <1289b60a-4980-342d-b1a4-250bbee392f1> /usr/lib/dyld
0x0 - 0xffffffffffffffff ??? (*) <00000000-0000-0000-0000-000000000000> ???
Caveat: Opening Malicious ICC Color Profiles may result in Remote Code Execution in the context of the User
Related news
In International Color Consortium DemoIccMAX 79ecb74, CIccXformMatrixTRC::GetCurve in IccCmm.cpp in libSampleICC.a has a NULL pointer dereference.
This issue was addressed with improved state management of S/MIME encrypted emails. This issue is fixed in macOS Monterey 12.6.8. A S/MIME encrypted email may be inadvertently sent unencrypted.
The issue was addressed with improved checks. This issue is fixed in macOS Monterey 12.6.8, macOS Ventura 13.5, macOS Big Sur 11.7.9. Processing a file may lead to unexpected app termination or arbitrary code execution.
The issue was addressed with improved checks. This issue is fixed in iOS 16.6 and iPadOS 16.6, macOS Ventura 13.5. A user may be able to elevate privileges.
Apple Security Advisory 2023-07-24-6 - macOS Big Sur 11.7.9 addresses code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-5 - macOS Monterey 12.6.8 addresses code execution, out of bounds read, and use-after-free vulnerabilities.
Apple Security Advisory 2023-07-24-4 - macOS Ventura 13.5 addresses bypass, code execution, out of bounds read, and use-after-free vulnerabilities.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.