疑似Oday
repo for CVE-2025-52413# CVE-2025-52413 — Particle Device OS BLE Buffer Overflow
**Discoverer**: Golden Ticket Labs
**Vendor**: Particle
**Date Assigned**: August 12th 2025 (MITRE)
## Description
A buffer overflow in the `ble_control_request_channel.cpp` component of **Particle Device OS v5.6.0** enables arbitrary function pointer overwrite due to an unbounded `memcpy()` into a 64-byte buffer.
When paired with the adjacent `ThreadRunner::eventHandler_` callback invocation, this permits reliable control flow hijacking and even simulated ROP payload execution:contentReference[oaicite:0]{index=0}.
---
## Technical Details
**Vulnerable code path**:
```cpp
// ble_control_request_channel.cpp
memcpy(buf_->data, &h, handshake_header_size); // unbounded copy into 64-byte buffer
// thread_runner.cpp
if (r->eventHandler_) {
r->eventHandler_(ev); // function pointer called after adjacent memory corruption
}
```
handshake_header_size is attacker-controlled.
buf_->data is a raw 64-byte buffer, lacking bounds checks.
ThreadRunner stores an inline function pointer eventHandler_ directly adjacent to the buffer.
Overflow of buf_->data enables overwriting eventHandler_.
Depending on build layout, the bug manifests as a stack-based (CWE-121) or heap-based (CWE-122) overflow, but the root cause is unsafe memory copying into a fixed buffer next to a function pointer.
CWE Classification:
CWE-120: Classic Buffer Overflow
CWE-121: Stack-based Buffer Overflow
CWE-122: Heap-based Buffer Overflow
CWE-787: Out-of-Bounds Write
CWE-829: Inclusion of Function Pointer in Struct with Buffer
Severity (CVSS v3.1)
Base Score: 8.8 (High)
Vector: AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
This reflects that arbitrary code execution can be achieved with a crafted BLE payload, requiring only attacker proximity and no privileges or user interaction.
Affected Versions
Particle Device OS v5.6.0 — Vulnerable
v5.7.0 and newer — Patched silently ([Gen 3] BLE: Fix stack overflow in BLE timer callback)
Proof of Concept (Lab Only)
⚠️ No weaponized exploit code is included. This is a safe illustration.
Conceptual PoC structure:
```cpp
struct ExploitTarget {
char buffer[64];
void (*eventHandler)(const char* msg); // overwrite target
};
char payload[128];
memset(payload, 'A', 64); // fill buffer
memcpy(payload + 64, &address_of_rop_shell, 8); // overwrite function pointer
// Redirect control flow to:
void rop_shell(const char* msg) {
system("/bin/sh"); // simulated ROP payload
}
```
Hex dump confirmed that the eventHandler_ pointer was overwritten and redirected.
Attack Vector
Remote exploitation is possible via a specially crafted BLE control message.
The overflow occurs during handshake parsing, when handshake_header_size exceeds the 64-byte buffer.
Once corrupted, the eventHandler_ callback invokes attacker-controlled code.
Impact
Arbitrary code execution on affected Particle devices
Complete compromise of confidentiality, integrity, and availability
Potential persistence and lateral movement in BLE-enabled environments
Mitigation
Upgrade to Particle Device OS v5.7.0 or newer, where the overflow was fixed.
Harden BLE parsing with bounds checks (memcpy_s or equivalent).
Separate function pointers from overflowable fields.
Compile with stack canaries, SafeStack, and memory sanitizers.
References
Particle Device OS v5.7.0 Release Notes
Lab report & PoC simulation
License & Disclaimer
All content in this repository is provided for educational and defensive purposes only.
No exploit payloads are included. Do not attempt to use these techniques against systems without explicit authorization.
Contact
Golden Ticket Labs
📧 goldenticketlabs@proton.me
🌐 goldenticketlabs.com
[4.0K] /data/pocs/9a48ad12245fbfdfbeda46d1ff4f1316188d3fd7
└── [3.8K] README.md
0 directories, 1 file