Out-of-bounds write in Apple ImageIO when processing malicious image files

This repository provides a Python-based interactive CLI tool (CVE-2025-43300.py) for analyzing and creating proof-of-concept (PoC) files targeting CVE-2025-43300, a critical memory corruption vulnerability in Apple's image processing framework (affecting iOS 18.6.1 and macOS). The exploit leverages a mismatch between the TIFF SamplesPerPixel metadata and the JPEG Lossless SOF3 component count within DNG files, causing a buffer overflow when the file is processed by the vulnerable system. The tool offers features to analyze DNG files for vulnerability indicators, create crafted PoC files by modifying specific bytes, perform binary diffs, and safely patch DNG files. The README provides detailed technical background, attack scenarios (including zero-click vectors such as email, AirDrop, and web downloads), and mitigation advice. The main attack vector is the delivery of a malicious DNG file to a target system, which, when processed, can result in application crash or code execution. The repository is structured with a single main Python script and a README, and does not rely on any exploit framework.

This repository demonstrates a proof-of-concept (POC) exploit for CVE-2025-43300, a buffer overflow vulnerability in DNG (Digital Negative) file parsers. The vulnerability arises from a mismatch between the TIFF metadata (SamplesPerPixel) and the embedded JPEG data (SOF0 Components) within a DNG file. The exploit consists of a JavaScript script ('create-dng_poc_exec.js') that programmatically generates a DNG file ('exploit.dng') with the malicious structure: the TIFF header claims there are 2 components, while the JPEG data actually contains 3. When a vulnerable parser processes this file, it allocates a buffer for 2 components but processes 3, resulting in a buffer overflow and potential remote code execution. The repository includes a detailed README.md explaining the vulnerability, file structure, and exploitation steps. There are no network endpoints or remote services involved; the attack vector is a crafted file intended to be opened by a vulnerable application.

This repository provides a proof-of-concept (POC) toolkit for CVE-2025-43300, a critical memory corruption vulnerability in Apple's image processing framework affecting iOS 18.6.1 and certain macOS versions. The vulnerability is triggered by a crafted DNG (Digital Negative) image file with inconsistent metadata: the TIFF SamplesPerPixel tag is set to a different value than the JPEG Lossless SOF3 component count. This mismatch causes the image parser to allocate a buffer of incorrect size, leading to a buffer overflow when the JPEG decoder writes more data than expected. The repository contains two main Python scripts: - `dng_vulnerability_analyzer.py`: Analyzes DNG files to locate relevant metadata and JPEG stream markers, identifies vulnerability conditions, and reports exact byte offsets for modification. - `hex_modifier.py`: Safely modifies specific bytes in a DNG file to create a vulnerable sample (POC), verifies changes, and generates binary diff reports. The typical workflow is to analyze a target DNG file, use the analyzer to find the correct offsets, then use the modifier to create a POC file with the required metadata/stream inconsistency. The crafted file can then be delivered to a target system via email, AirDrop, messaging, or web download. On vulnerable systems, simply previewing or importing the file can trigger the exploit, resulting in a crash or potential code execution. The README provides detailed technical background, usage instructions, and safe testing guidelines. No network endpoints or remote services are hardcoded; the exploit is file-based and targets local or network-delivered DNG files.

This repository provides a proof-of-concept (POC) exploit for CVE-2025-43300, a memory corruption vulnerability in Apple's RawCamera.bundle image processing component affecting iOS 18.6.1 and macOS. The exploit leverages a mismatch between TIFF metadata (SamplesPerPixel) and JPEG Lossless parameters (SOF3 component count) in DNG files, causing a buffer overflow when the file is processed automatically by the target system (e.g., via Airdrop, import, or preview). The repository contains two files: a README.md with detailed vulnerability and exploitation instructions, and hex_modifier.py, a Python script that automates the creation of malicious DNG files by modifying specific byte offsets. The script supports creating a POC file, manual byte modification, and generating binary diff reports. The exploit is zero-click and file-based, requiring only that the target device processes the crafted DNG file. No network endpoints or remote services are involved; the attack is delivered via file transfer or similar mechanisms. The code is a POC and does not include a weaponized payload, but demonstrates the vulnerability's impact and provides tooling for further research.

This repository provides a proof-of-concept (POC) toolkit for CVE-2025-43300, a critical memory corruption vulnerability in Apple's image processing framework affecting iOS 18.6.1 and certain macOS versions. The vulnerability is triggered by a crafted DNG (Digital Negative) image file with inconsistent metadata: the TIFF SamplesPerPixel tag and the JPEG Lossless SOF3 component count are deliberately set to different values, causing a buffer overflow during automatic image processing. The repository contains two main Python scripts: - `dng_vulnerability_analyzer.py`: Analyzes DNG files to locate relevant metadata and JPEG stream markers, identifies vulnerability conditions, and reports exact byte offsets for modification. - `hex_modifier.py`: Safely modifies DNG files at specified offsets to create a POC file that triggers the vulnerability, verifies changes, and generates binary diff reports. The typical workflow is to analyze a DNG file to find the correct offsets, use the modifier to create a vulnerable sample, and then verify the result. The exploit is zero-click: simply delivering the crafted DNG file to a vulnerable device (via email, AirDrop, messaging, or web download) can trigger the bug when the file is processed, potentially leading to a crash or code execution. The repository is well-documented, with a comprehensive README explaining the vulnerability, technical details, usage instructions, and safe testing guidelines. No network endpoints or IP addresses are hardcoded; all operations are performed on local DNG files provided by the user.