<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Faleemi Desktop Software - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/faleemi-desktop-software/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 24 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/faleemi-desktop-software/feed.xml" rel="self" type="application/rss+xml"/><item><title>Faleemi Desktop Software 1.8 Local Buffer Overflow Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2024-01-24-faleemi-buffer-overflow/</link><pubDate>Wed, 24 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-24-faleemi-buffer-overflow/</guid><description>Faleemi Desktop Software 1.8 is vulnerable to a local buffer overflow in the System Setup dialog, allowing attackers to bypass DEP protections and execute arbitrary code through a crafted payload in the Save Path field.</description><content:encoded><![CDATA[<p>Faleemi Desktop Software version 1.8 is susceptible to a critical local buffer overflow vulnerability (CVE-2019-25691) within the System Setup dialog. This flaw allows an attacker with local access to the system to inject a malicious payload into the &quot;Save Path for Snapshot and Record file&quot; field. By exploiting this buffer overflow, attackers can bypass Data Execution Prevention (DEP) and execute arbitrary code on the affected system. This is achieved through Structured Exception Handling (SEH) exploitation, enabling the use of Return-Oriented Programming (ROP) chain gadgets to gain control and execute malicious code. The vulnerability poses a significant risk to systems running the vulnerable software.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker gains local access to a system with Faleemi Desktop Software 1.8 installed.</li>
<li>Attacker opens the Faleemi Desktop Software application.</li>
<li>Attacker navigates to the &quot;System Setup&quot; dialog within the application's settings.</li>
<li>Attacker locates the &quot;Save Path for Snapshot and Record file&quot; field in the settings.</li>
<li>Attacker injects a specially crafted payload designed to trigger a buffer overflow into the &quot;Save Path&quot; field. The payload includes shellcode and ROP gadgets.</li>
<li>The application attempts to save the provided path, triggering the buffer overflow.</li>
<li>The injected payload overwrites memory, including the Structured Exception Handler (SEH) record.</li>
<li>The overwritten SEH record redirects execution to the attacker's controlled ROP chain, enabling arbitrary code execution on the system.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of this buffer overflow vulnerability (CVE-2019-25691) allows an attacker to execute arbitrary code with the privileges of the user running Faleemi Desktop Software 1.8. This could lead to complete system compromise, including data theft, installation of malware, or further lateral movement within the network. Given the nature of the vulnerability, any system running the affected software is at risk. The CVSS v3.1 score of 8.4 indicates a high severity.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Apply any available patches or updates provided by Faleemi to address CVE-2019-25691.</li>
<li>Monitor process creation events for spawned processes originating from Faleemi Desktop Software using the provided Sigma rule to detect potential exploitation attempts.</li>
<li>Implement application control policies to restrict the execution of unsigned or untrusted binaries within the Faleemi Desktop Software directory.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>buffer-overflow</category><category>dep-bypass</category><category>faleemi</category><category>cve-2019-25691</category></item></channel></rss>