Attack Chain

1. Attacker crafts a text file containing a malicious payload.
2. The payload includes shellcode designed to execute arbitrary commands.
3. The payload also contains specific values to overwrite the Structured Exception Handler (SEH) chain.
4. Attacker copies the contents of the crafted text file.
5. Attacker opens Allok AVI DivX MPEG to DVD Converter 2.6.1217 on the target system.
6. Attacker pastes the malicious payload into the “License Name” field of the application.
7. The application attempts to process the oversized or malformed license.
8. The buffer overflow occurs, overwriting the SEH chain and executing the attacker-supplied shellcode, resulting in arbitrary code execution.

Impact

Successful exploitation of this vulnerability (CVE-2018-25323) allows a local attacker to execute arbitrary code on the targeted system. The attacker gains control within the context of the Allok AVI DivX MPEG to DVD Converter application. This could lead to privilege escalation, data theft, or further compromise of the system. Given the nature of the vulnerability, the impact is limited to systems with the vulnerable software installed.

Recommendation

• Apply appropriate mitigations for buffer overflow vulnerabilities in Windows.
• Monitor for unusual process execution following application crashes, particularly processes spawned by Allok AVI DivX MPEG to DVD Converter, using process creation logs (logsource: process_creation, product: windows).
• Deploy the Sigma rule to detect potential exploitation attempts by monitoring for unusual data pasted into the License Name field using registry_set events if the application stores the value there.