abelrguezr/sips-icc-oob-write-exploit
skills/binary-exploitation/arbitrary-write-2-exec/aw2exec-sips-icc-profile/SKILL.md
How to understand, test, and detect the macOS sips ICC profile out-of-bounds write vulnerability (CVE-2024-44236). Use this skill whenever the user mentions ICC profiles, sips vulnerability, CVE-2024-44236, macOS image processing exploits, heap corruption in color profiles, or needs to generate malicious ICC test files for security research. Also trigger for YARA rule creation for ICC anomalies, macOS security patching verification, or when analyzing embedded color profile attacks.
$ install --global
skillsauthnpx skillsauth add abelrguezr/hacktricks-skills sips-icc-oob-write-exploitInstall this skill globally with one command. Works with Claude Code, Cursor, and Windsurf.
Security Scan Results
3 of 9 scanners reported clean
Some scanners were skipped, did not run, or reported a non-clean status. Review each row below.
3
Scanners Passed
9
Scanners in report
Clean
TrivyContainer and dependency vulnerability scanner
95%
Clean
SemgrepStatic code analysis for vulnerabilities
95%
Clean
mcp-scan (Snyk)Model Context Protocol security validation
95%
Skipped
Snyk (dep)Open source security scanning
50%
Skipped
Socket.devSupply chain security analysis
50%
Skipped
VirusTotalMulti-engine malware detection
50%
Skipped
CrowdStrikeAdvanced threat intelligence
50%
Skipped
OSV-ScannerOpen Source Vulnerability database check
50%
Skipped
OWASP Dep-Check
50%
Last scanned: Apr 16, 2026, 2:10 AM247.7s4 files scanned
SKILL.md
- name:
- sips-icc-oob-write-exploit
- description:
- How to understand, test, and detect the macOS sips ICC profile out-of-bounds write vulnerability (CVE-2024-44236). Use this skill whenever the user mentions ICC profiles, sips vulnerability, CVE-2024-44236, macOS image processing exploits, heap corruption in color profiles, or needs to generate malicious ICC test files for security research. Also trigger for YARA rule creation for ICC anomalies, macOS security patching verification, or when analyzing embedded color profile attacks.
SIPS ICC Profile OOB Write Exploit (CVE-2024-44236)
A skill for understanding, testing, and detecting the out-of-bounds zero-write vulnerability in Apple's Scriptable Image Processing System (sips) ICC profile parser.
What This Skill Does
This skill helps you:
- Generate malicious ICC profile test files for security research
- Understand the heap corruption mechanism and exploitation chain
- Create YARA detection rules for the vulnerability
- Verify patching status and implement mitigations
- Analyze embedded ICC profile attacks in images
Quick Start
Generate a Test ICC Profile
Run the bundled PoC generator to create a malicious ICC file:
python scripts/generate_evil_icc.py output/evil.icc
This creates a minimal ICC profile with the offsetToCLUT == tagDataSize condition that triggers the OOB write.
Verify the Vulnerability (Research Only)
On a vulnerable macOS system (15.0.1, sips-307):
sips --verifyColor output/evil.icc
# or
sips -s format png payload.jpg --out out.png
⚠️ Warning: Only test on isolated, vulnerable systems you own. This can cause crashes or code execution.
Vulnerability Overview
The Bug
The vulnerability is in the lutAToBType (mAB ) and lutBToAType (mBA ) tag handlers in sips-307:
if (offsetToCLUT <= tagDataSize) {
// BAD: zero 16 bytes starting at offsetToCLUT
for (uint32_t i = offsetToCLUT; i < offsetToCLUT + 16; i++)
buffer[i] = 0; // no bounds check!
}
When offsetToCLUT == tagDataSize, the parser writes 16 bytes past the allocated buffer.
Exploitation Chain
- Craft malicious ICC with
offsetToCLUT == tagDataSize - Trigger parsing via any sips operation (Preview, QuickLook, Mail, Safari)
- Heap metadata corruption on nano_zone allocator
- Arbitrary write via poisoned free list
- Vtable overwrite → ROP chain execution
Impact
- CVSS 7.8 - Remote code execution
- Bypasses Gatekeeper (embedded in benign images)
- Affects: Preview, QuickLook, Safari, Mail attachments
- Patched: macOS 15.2 / 14.7.1 (Oct 30, 2024)
Detection
YARA Rule
Use the bundled YARA rule to detect malicious ICC profiles:
yara -r scripts/icc_mab_anomaly.yara /path/to/files/
The rule checks for:
- Valid ICC header (
acspmagic) mABormBAtagsoffsetToCLUT == tagDataSizecondition
Manual Verification
Check if a system is patched:
# Check macOS version
sw_vers
# Check sips version (vulnerable: 307 on 15.0.1)
# Patched in 15.2 / 14.7.1+
DFIR Indicators
Look for in unified log:
- Recent
sips --verifyColorexecution ColorSynclibrary loads by sandboxed apps- Unexpected Preview/QuickLook spawns
Mitigation
Immediate Actions
- Patch: Update to macOS ≥ 15.2 / 14.7.1 or iOS/iPadOS ≥ 18.1
- Strip ICC profiles from untrusted images:
exiftool -icc_profile= -overwrite_original <file> - Deploy YARA rule on email gateways and EDR
- Sandbox Preview/QuickLook for unknown content
Long-term Hardening
- Run image processing in isolated VMs
- Monitor for sips/ColorSync anomalies
- Implement file type validation before processing
Test Cases
Case 1: Basic OOB Trigger
python scripts/generate_evil_icc.py test1.icc
sips --verifyColor test1.icc # Should crash on vulnerable systems
Case 2: Embedded in Image
# Create a test image with embedded malicious ICC
python scripts/embed_icc_in_image.py input.jpg test1.icc output.jpg
sips -s format png output.jpg --out out.png
Case 3: YARA Detection
yara scripts/icc_mab_anomaly.yara test1.icc
# Should match: ICC_mAB_offsetToCLUT_anomaly
References
- ZDI-24-1445: Trend Micro advisory on CVE-2024-44236 https://www.zerodayinitiative.com/advisories/ZDI-24-1445/
- Apple HT213981: macOS Sonoma 15.2 security content https://support.apple.com/en-us/HT213981
- CVE-2025-24185: Related variant (patched April 2025)
Related Skills
icc-profile-analysis- Deep ICC profile parsing and analysismacos-heap-exploitation- nano_zone allocator exploitation techniquesyara-rule-creation- Writing detection rules for file-based attacks
Notes
- This skill is for security research and defensive purposes only
- Always test on systems you own or have explicit authorization for
- The PoC generator creates files that can crash vulnerable systems
- Keep your test environment isolated from production networks
Related Skills
abelrguezr/house-of-lore-exploit
testing
VerifiedTrustedCommunity
How to perform a House of Lore (small bin attack) heap exploitation. Use this skill whenever the user mentions heap exploitation, small bin attacks, fake chunks, glibc heap vulnerabilities, or needs to insert fake chunks into small bins for arbitrary read/write. Trigger for CTF challenges involving heap corruption, glibc 2.31+ exploitation, or when the user needs to bypass malloc sanity checks using fake chunk linking.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-force-exploit
testing
VerifiedTrustedCommunity
How to perform House of Force heap exploitation attacks. Use this skill whenever the user mentions heap exploitation, House of Force, top chunk manipulation, arbitrary memory allocation, malloc manipulation, or wants to allocate chunks at specific addresses. Also trigger for CTF challenges involving heap overflows, top chunk size overwrites, or when the user needs to calculate evil_size for heap attacks. Make sure to use this skill for any binary exploitation task involving glibc heap manipulation, even if they don't explicitly say "House of Force".
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/house-of-einherjar
tools
VerifiedTrustedCommunity
How to perform House of Einherjar heap exploitation to allocate memory at arbitrary addresses. Use this skill whenever the user mentions heap exploitation, glibc heap attacks, arbitrary memory allocation, off-by-one overflow exploitation, tcache poisoning, fast bin attacks, or any CTF challenge involving heap manipulation. This is essential for binary exploitation tasks where you need to control malloc() return addresses.
5SKILL.mdUpdated Apr 16, 2026
abelrguezr/heap-overflow-exploitation
testing
VerifiedTrustedCommunity
How to identify, analyze, and exploit heap overflow vulnerabilities in binary exploitation challenges and real-world scenarios. Use this skill whenever the user mentions heap overflows, memory corruption, heap grooming, tcache poisoning, fast-bin attacks, or any heap-related vulnerability in CTF challenges, binary analysis, or security research. This skill covers heap overflow fundamentals, exploitation techniques, heap grooming strategies, and real-world CVE analysis.
5SKILL.mdUpdated Apr 16, 2026