Download Accelerator Plus (DAP) SEH Buffer Overflow Vulnerability
Download Accelerator Plus DAP 10.0.6.0 is vulnerable to a structured exception handler buffer overflow, allowing remote attackers to execute arbitrary code via malicious crafted URLs by overwriting SEH pointers and executing embedded shellcode.
Download Accelerator Plus (DAP) version 10.0.6.0 is susceptible to a critical structured exception handler (SEH) buffer overflow vulnerability, identified as CVE-2019-25628. This vulnerability allows remote attackers to achieve arbitrary code execution by crafting malicious URLs. The attack leverages the application’s web page import functionality to introduce the malicious URL. Successful exploitation allows attackers to overwrite SEH pointers, redirecting execution flow to attacker-controlled shellcode. This vulnerability poses a significant risk to users of the affected DAP version, potentially leading to complete system compromise. The vulnerability was reported and analyzed by VulnCheck.
Attack Chain
- Attacker crafts a malicious URL containing overflowing buffer data designed to overwrite the SEH pointers.
- The victim uses the Download Accelerator Plus 10.0.6.0 application.
- The attacker delivers the malicious URL to the victim via social engineering or other means.
- The victim imports the malicious URL through the application’s web page import functionality.
- The application attempts to process the crafted URL, triggering the buffer overflow.
- The overflowing buffer overwrites the structured exception handler (SEH) record on the stack.
- When an exception occurs, the application attempts to use the overwritten SEH pointer.
- Control is transferred to the attacker-controlled shellcode embedded in the malicious URL, leading to arbitrary code execution.
Impact
Successful exploitation of this vulnerability (CVE-2019-25628) allows a remote attacker to execute arbitrary code on the victim’s system. Given the critical severity score (CVSS v3.1: 9.8), the impact is significant. Affected systems are completely compromised, allowing the attacker to install malware, steal sensitive information, or pivot to other systems on the network. The number of potential victims is unknown, but all users of Download Accelerator Plus 10.0.6.0 are at risk.
Recommendation
- Discontinue the use of Download Accelerator Plus DAP 10.0.6.0 due to the unpatched SEH buffer overflow vulnerability (CVE-2019-25628).
- Monitor network traffic for connections to the URLs associated with the vulnerability (e.g.,
http://www.speedbit.com/dap/,https://www.exploit-db.com/exploits/46673). Block these domains at the network perimeter. - Implement a network detection rule to identify HTTP requests containing unusually long URLs that might be exploiting the buffer overflow. This will require analyzing webserver or proxy logs.
Detection coverage 2
Detect Access to Exploit-DB URL related to DAP SEH Overflow
highDetects HTTP requests to the Exploit-DB URL associated with the Download Accelerator Plus SEH overflow exploit.
Detect Access to Speedbit DAP Download Page
lowDetects HTTP requests to the Speedbit DAP download page.
Detection queries are kept inside the platform. Get full rules →
Indicators of compromise
4
url
| Type | Value |
|---|---|
| url | http://www.speedbit.com/dap/ |
| url | http://www.speedbit.com/dap/download/downloading.asp |
| url | https://www.exploit-db.com/exploits/46673 |
| url | https://www.vulncheck.com/advisories/download-accelerator-plus-dap-seh-buffer-overflow |