关联漏洞
标题:Apple多款产品 安全漏洞 (CVE-2025-43300)Description:Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple macOS是一套专为Mac计算机所开发的专用操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple多款产品存在安全漏洞,该漏洞源于处理恶意图像文件可能导致内存损坏。以下产品及版本受到影响:macOS Sonoma 14.7.8版本、macOS Ventura 13.7.8版本、iPadOS 17.7.10版本、macOS Sequoia 15.6.1版本、
Description
iOS 18.6.1 0-click RCE POC
介绍
# iOS 18.6.1 0-click RCE POC
The vulnerability seems to be in the Apple's implementation of JPEG Lossless Decompression code which is used inside Adobe's DNG file format. I modified `SamplePerPixel` of the `SubIFD` directory of a DNG to reach the vulnerable function and decreased the `component` count of the `SOF3` block to trigger what seems like an oob write.
`RawCamera.bundle` where all of the vulnerable code lies seems to stripped off symbols so it's hard to explain the code path but I leave that for the reader to figure out. Not all DNG files that have JPEG Lossless compression seems to be reaching this vulnerable path, I used Adobe's offical `Adobe DNG Converter` tool and also `dnglab` to export DNG files with this compression type but never reached this code path until this very specific sample DNG I linked below. This POC doesn't crash iOS 18.6.2 so I assume it's the same bug :P
## Reproduction steps:
1. Download https://www.dpreview.com/sample-galleries/4949897610/pentax-k-3-mark-iii-sample-gallery/1638788346
2. Modify the following bytes:
```
0x2FD00: 01 -> 02
0x3E40B: 02 -> 01
```
3. Airdrop etc
文件快照
[4.0K] /data/pocs/61e24c6d37c1a8eed22114bd880860a388427b47
└── [1.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 本地 POC 快照面向订阅用户开放;当原始来源失效或无法访问时,本地镜像作为订阅权益的一部分提供。
3. 持续抓取、验证、维护这份 POC 档案需要不少投入,因此本地快照已纳入付费订阅。您的订阅是让这份资料能继续走下去的关键,由衷感谢。 查看订阅方案 →