A look at an Android ITW DNG exploit

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exploit.html
• Blog Title: A look at an Android ITW DNG exploit
• Suggested Section: 🎯 Binary Exploitation -> Common Exploiting Problems (new subpage on image/RAW parser exploitation: DNG/TIFF metadata abuse, Opcode List exploitation, allocator-aware heap grooming) and cross-linked from 📱 Mobile Pentesting -> Android Applications Pentesting (section on abusing MediaStore and OEM privileged services as an attack surface).

🎯 Content Summary

This blog post analyzes an in-the-wild Android remote code execution (RCE) exploit chain that abuses specially crafted DNG (Digital Negative) images to compromise Samsung devices. The exploit targets Samsung’s proprietary Quram image parsing library running inside the privileged system service com.samsung.ipservice. The underlying Quram vulnerability (fixed by Samsung in April 2025) is a memory corruption bug in DNG/TIFF handling that can be reached remotely via messaging apps li...

🔧 Technical Details

1. Abusing messaging apps and MediaStore as a delivery channel
The technique leverages the fact that messaging apps like WhatsApp store received media into Android’s MediaStore, which is later scanned by privileged OEM services. An attacker crafts a payload image and gives it a WhatsApp-like filename and .jpg/.jpeg extension so it appears benign. Once a user taps to download, WhatsApp saves the file and inserts its metadata into MediaStore. Any privileged service that periodically parses all entries in MediaStore (e.g. Samsung’s com.samsung.ipservice) will then process attacker-controlled input. This general pattern applies to any ecosystem where third-party apps store untrusted media in a globally indexed location that is later blindly parsed by privileged components.

2. Hiding a DNG/TIFF exploit inside a JPEG-named file
A key trick is to create a RAW/DNG file t...

🤖 Agent Actions

Summary:

• Added a comprehensive “RAW Image Parser Exploitation (DNG/TIFF Metadata & Opcodes)” section to binary-exploitation/common-exploiting-problems.md, covering delivery workflow, metadata tricks, opcode abuse, allocator-aware heap grooming, detection heuristics, and included the Project Zero blog as a reference.
• Extended mobile-pentesting/android-app-pentesting/README.md with a new “MediaStore & OEM Privileged Service Attack Surface” section that explains how WhatsApp-sourced DNG payloads reach Samsung’s com.samsung.ipservice, provides a concrete testing workflow, hunting indicators, and cross-links to the binary exploitation notes; also cited the Project Zero article in the references list.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exploit.html

Content Categories: Based on the analysis, this content was categorized under "🎯 Binary Exploitation -> Common Exploiting Problems (new subpage on image/RAW parser exploitation: DNG/TIFF metadata abuse, Opcode List exploitation, allocator-aware heap grooming) and cross-linked from 📱 Mobile Pentesting -> Android Applications Pentesting (section on abusing MediaStore and OEM privileged services as an attack surface).".

Repository Maintenance:

• MD Files Formatting: 915 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0