Skip to content
Threat Feed
high advisory

CVE-2018-25322 - Allok Fast AVI MPEG Splitter Stack Buffer Overflow

Allok Fast AVI MPEG Splitter 1.2 is vulnerable to a stack-based buffer overflow, allowing local attackers to execute arbitrary code by providing a malicious license name string containing a crafted payload, leading to code execution with application privileges.

Allok Fast AVI MPEG Splitter 1.2 is susceptible to a stack-based buffer overflow vulnerability identified as CVE-2018-25322. This flaw enables a local attacker to inject and execute arbitrary code on the system. The attack involves supplying a specially crafted license name string to the application. The vulnerability allows an attacker to craft a payload of approximately 780 bytes of junk data, followed by structured shellcode, and insert it into the License Name field. Successful exploitation of this vulnerability grants the attacker the ability to execute code with the same privileges as the application. This vulnerability matters because successful exploitation could allow attackers to gain unauthorized control over the system and perform malicious activities.

Attack Chain

  1. Attacker crafts a malicious payload containing 780 bytes of junk data followed by shellcode.
  2. Attacker launches Allok Fast AVI MPEG Splitter 1.2.
  3. Attacker navigates to the license registration or activation section of the software.
  4. Attacker enters the crafted payload into the License Name field.
  5. The application attempts to copy the supplied license name string into a fixed-size buffer on the stack without proper bounds checking.
  6. The oversized payload overflows the buffer, overwriting adjacent memory regions on the stack.
  7. The overwritten memory includes the return address, which is replaced with the address of the attacker’s shellcode.
  8. When the function returns, execution jumps to the attacker-controlled shellcode, enabling arbitrary code execution.

Impact

Successful exploitation of CVE-2018-25322 allows a local attacker to execute arbitrary code with the privileges of the Allok Fast AVI MPEG Splitter 1.2 application. This could lead to complete system compromise, data theft, or the installation of malware. The lack of information regarding the number of potential victims or specific sectors targeted makes it difficult to quantify the impact precisely, but the potential for significant harm is evident.

Recommendation

  • Consider uninstalling Allok Fast AVI MPEG Splitter 1.2 if it is not essential, due to the unpatched nature of CVE-2018-25322.
  • Deploy the Sigma rule “Detect Allok Fast AVI MPEG Splitter Buffer Overflow Attempt” to identify potential exploitation attempts by monitoring process creations with license names containing excessive data.
  • Monitor for unusual process executions originating from the Allok Fast AVI MPEG Splitter 1.2 process to detect potential code execution.

Detection coverage 2

Detect Allok Fast AVI MPEG Splitter Buffer Overflow Attempt

high

Detects potential exploitation attempts of CVE-2018-25322 in Allok Fast AVI MPEG Splitter 1.2 by monitoring for process creations with license names containing excessive data, which could indicate a buffer overflow attempt.

sigma tactics: privilege_escalation sources: process_creation, windows

Detect Suspicious Process Execution from Allok Directory

medium

Detects suspicious processes being launched from the Allok Fast AVI MPEG Splitter installation directory, which may indicate successful code execution after a buffer overflow (CVE-2018-25322).

sigma tactics: execution sources: process_creation, windows

Detection queries are available on the platform. Get full rules →