Mobile Dynamix PrinterShare Mobile Print Double-Free Memory Corruption Vulnerability

A double-free vulnerability has been identified in Mobile Dynamix PrinterShare Mobile Print for Android, in versions prior to 12.15.01. This issue arises during the cleanup of temporary image files, creating a condition that can be exploited to cause memory corruption and potentially execute arbitrary code.

Impact

Exploitation of this vulnerability leads to memory corruption, with the potential for arbitrary code execution.

Reproduction

The vulnerability can be reproduced on a rooted Android 13 device, specifically a Samsung Galaxy Tab A7 Lite. Using the Frida dynamic instrumentation toolkit, intercept free memory calls, then trigger the vulnerability by loading bitmaps from files or content URIs in the 'ActivityPrintPictures' activity. The 'v1()' method handles the bitmap loading and decoding, while the 'x1()' method creates and recycles a bitmap, causing a double-free condition. After the memory is freed, overwrite the freed memory with a payload, which can be used to execute arbitrary code.