Researcher releases PoC for macOS Ventura code execution bug (CVE-2022-26730)

CVE-2022-26730 PoC

Researcher from Hoyt LLC has shared more details about a now-patched security flaw in Apple macOS Ventura code execution that could potentially enable an attacker to arbitrary code execution.

The vulnerability tracked as CVE-2022-26730 carries a high severity rating of 8.8 on the CVSS vulnerability scoring system. It has been addressed in the security update for macOS Ventura 13 released on October 24, 2022.

The bug was caused by a memory corruption issue when processing ICC profiles in the ColorSync component. By persuading a victim to open a specially crafted DMG file, an attacker could exploit this vulnerability to execute arbitrary code on the system.

CVE-2022-26730 PoC

Processing a maliciously crafted image may lead to arbitrary code execution,” Apple noted in its advisory. “A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation.”

David Hoyt of Hoyt LLC conducted an in-depth analysis of the vulnerability and publicly disclosed CVE-2022-26730 PoC code.

The issue described in this Report for CVE-2022-26730 was found in the Tag ‘cprt’ and Data ‘mluc’ of the Multi-localized Strings Code. The Elements are Sources of User Controllable Input [UCI],” the researcher wrote in his blog

“A Tainted Source of UCI flowed into a Sink demonstrating CVE-2022-26730 was a memory corruption issue that existed in the processing of ICC profiles and that processing a maliciously crafted image may lead to arbitrary code execution.

At present, the researcher only releases the CVE-2022-26730 Poc code that causes the system to crash due to security considerations. “Functional PoC’s for CVE-2022-26730 may be released at a future point in time due to the lack of protection for consumers not using macOS 13 and the availability of Prior Art to begin Exploit Development.”

Users are recommended to update to the latest version as soon as possible to mitigate possible threats.