Skip to content

A look at an Android ITW DNG exploit #1667

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
carlospolop wants to merge 1 commit into
base: master
Choose a base branch
from
Open

A look at an Android ITW DNG exploit #1667

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 43 additions & 1 deletion src/binary-exploitation/common-exploiting-problems.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,7 +35,49 @@ In order to bypass this the **escape character `\x16` must be prepended to any `

**Here you can** [**find an example of this behaviour**](https://ir0nstone.gitbook.io/hackthebox/challenges/pwn/dream-diary-chapter-1/unlink-exploit)**.**

{{#include ../banners/hacktricks-training.md}}
## RAW Image Parser Exploitation (DNG/TIFF Metadata & Opcodes)

An in-the-wild Android chain weaponized Samsung's **Quram** DNG/TIFF parser that runs inside the privileged **`com.samsung.ipservice`** service. The attacker only needed the victim to tap a WhatsApp image so it was saved into **`MediaStore`**, after which the Samsung system service automatically ingested the RAW file and executed the exploit.

High-level flow:

1. Craft a TIFF-based DNG payload but give it a harmless WhatsApp-style `.jpg/.jpeg` filename.
2. Deliver it over any channel that stores media inside `MediaStore` (WhatsApp, MMS, cloud sync, etc.).
3. Let OEM background services that scan `MediaStore` open the file with their privileged image stack.
4. Use DNG metadata to steer the parser into fragile code paths and turn opcode processing into a memory-corruption primitive.
5. Drop a ROP chain/shellcode into RAW buffers that will be dereferenced after the corruption.

Quick triage of suspicious samples:

```bash
file "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg"
exiftool -OpcodeList1 -OpcodeList2 -OpcodeList3 "WhatsApp Image 2025-02-10 at 4.54.17 PM.jpeg"
```

### Metadata steering & SubIFDs

- Abuse **multiple SubIFDs** (e.g., Preview + two "Main Image" entries sized 16×16 and 1×1) to force alloc/free patterns that rarely occur in normal RAWs.
- Set contradictory geometry such as **`ActiveArea = 0 0 10 10`** for a declared 16×16 tile so that internal loops mis-compute iteration bounds and buffer sizes.
- Mix **strip and tile storage** simultaneously (`TileByteCounts = 256` while `StripByteCounts = 1`) to hit parser logic that assumes only one storage mode is active.
- Keep `SamplesPerPixel = 1` and CFA metadata inconsistent with the stated color layout to influence de-bayering paths that hold function/vtable pointers.

These tricks let you force the decoder to allocate attacker-sized chunks derived only from metadata, which is perfect for heap grooming before the overflow triggers.

### Opcode list based corruption primitives

- DNG **Opcode Lists** are essentially a DSL that the parser executes before demosaicing. Stuffing **thousands of identical `[opcode 23]` entries** makes the library allocate very large descriptor arrays whose bounds often trust `ImageWidth × ImageHeight`.
- Chaining **`TrimBounds` → `DeltaPerColumn`** operations while the image dimensions disagree with the `ActiveArea` induces off-by-one writes when coordinates are recomputed between opcodes.
- Because opcodes execute sequentially, you can first use them to spray controlled data, then trigger the vulnerable opcode that overwrites a nearby pointer with offsets pointing back into your sprayed data.

### Allocator-aware heap grooming

- The campaign shipped **jemalloc and scudo variants**, highlighting that RAW metadata can be tuned to request allocations that match the target allocator's size classes/bins.
- On **scudo**, the exploit keeps allocations inside a single size class to avoid immediate quarantine while still placing the vulnerable opcode buffer next to an object containing function pointers.
- On **jemalloc**, the same concept targets small bin freelists and corrupts chunk metadata to pivot execution.
- Always model the allocator you are targeting: list the sizes that each SubIFD, tile buffer, opcode array, and CFA table will request, and adjust metadata until the victim control structure and your spray buffer sit adjacently.

## References

- [Project Zero: A look at an Android ITW DNG exploit](https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exploit.html)

{{#include ../banners/hacktricks-training.md}}
25 changes: 25 additions & 0 deletions src/mobile-pentesting/android-app-pentesting/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -54,6 +54,30 @@ java -jar ../APKEditor.jar m -i splits/ -o merged.apk
java -jar uber-apk-signer.jar -a merged.apk --allowResign -o merged_signed
```

## MediaStore & OEM Privileged Service Attack Surface

Vendors ship privileged background services (for example Samsung's **`com.samsung.ipservice`**) that periodically enumerate Android's **`MediaStore`** and feed every newly indexed image into native stacks such as **Quram** to power "intelligent" gallery features. The 2025 in-the-wild DNG exploit showed that a single WhatsApp-delivered payload (user just taps to download) is enough to hand attacker-controlled RAW data to that service, yielding a 1-click remote attack surface with system-level access compared to the messaging app.

### Testing workflow

1. Identify OEM packages running out of `/system/priv-app` that request `READ_MEDIA_*`, `WRITE_MEDIA_STORAGE`, or vendor-specific media permissions (`adb shell pm list packages -U | grep samsung`).
2. Confirm whether they register `ContentObserver`s on MediaStore URIs (e.g., `adb shell dumpsys activity services com.samsung.ipservice | grep -i mediastore`).
3. Deliver a crafted file, force its insertion into MediaStore, and monitor how the privileged service opens it:

```bash
adb push poc.jpg /sdcard/WhatsApp/Media/WhatsApp\ Images/poc.jpg
adb shell content insert --uri content://media/external/file --bind _data:s:/sdcard/WhatsApp/Media/WhatsApp\ Images/poc.jpg --bind mime_type:s:image/jpeg
adb shell logcat -s ipservice:I MediaProvider:I
```

4. Inspect content-type mismatches (JPEG extension vs. `image/x-adobe-dng`), multiple SubIFDs, and simultaneous strip/tile declarations to confirm you can steer the parser state before fuzzing it.

For parser exploitation primitives that abuse those metadata inconsistencies, check the RAW image exploitation notes:

{{#ref}}
../../binary-exploitation/common-exploiting-problems.md
{{#endref}}

## Android Enterprise & Work Profile Attacks

{{#ref}}
Expand Down Expand Up @@ -880,5 +904,6 @@ AndroL4b is an Android security virtual machine based on ubuntu-mate includes th
- [smali-sslpin-patterns](https://github.com/aancw/smali-sslpin-patterns)
- [Build a Repeatable Android Bug Bounty Lab: Emulator vs Magisk, Burp, Frida, and Medusa](https://www.yeswehack.com/learn-bug-bounty/android-lab-mobile-hacking-tools)
- [CoRPhone — Android in-memory JNI execution and packaging pipeline](https://github.com/0xdevil/corphone)
- [Project Zero: A look at an Android ITW DNG exploit](https://googleprojectzero.blogspot.com/2025/12/a-look-at-android-itw-dng-exploit.html)

{{#include ../../banners/hacktricks-training.md}}