https://feed.craftedsignal.io/tags/seh-overflow/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 20:16:25 +0000https://feed.craftedsignal.io/briefs/2026-04-easy-mpeg-seh-overflow/Wed, 29 Apr 2026 20:16:25 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-easy-mpeg-seh-overflow/Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious username string.Easy MPEG to DVD Burner 1.7.11 is vulnerable to a structured exception handling (SEH) local buffer overflow. This vulnerability allows a local attacker to execute arbitrary code on a targeted system. The vulnerability can be triggered by supplying a malicious username string to the application. The attacker exploits this vulnerability by overwriting the SEH handler, redirecting execution flow to attacker-controlled shellcode, which can then execute arbitrary commands. This vulnerability exists due to insufficient bounds checking when handling user-supplied data, specifically the username. Successful exploitation allows for arbitrary code execution within the context of the application.

Attack Chain

1. The attacker crafts a malicious input string designed to trigger a buffer overflow in Easy MPEG to DVD Burner 1.7.11.
2. The malicious string includes junk data to fill the buffer, SEH chain pointers to control the exception handling process, and shellcode containing the attacker’s desired commands.
3. The attacker provides the crafted input as a username during application execution, likely via a configuration file or command-line argument.
4. The application’s vulnerable code attempts to copy the attacker-controlled username into a fixed-size buffer without proper bounds checking.
5. The buffer overflows, overwriting the SEH handler with the attacker-controlled SEH chain pointers.
6. An exception is triggered within the application due to the buffer overflow, causing the SEH handler to be invoked.
7. The overwritten SEH handler redirects execution to the attacker’s shellcode.
8. The shellcode executes arbitrary commands, such as launching calc.exe, giving the attacker control over the system.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code with the privileges of the user running Easy MPEG to DVD Burner 1.7.11. This can lead to complete system compromise, data theft, or denial of service. While there is no mention of the number of victims or specific sectors targeted in the provided document, the high CVSS score (8.4) indicates a significant risk. The impact would allow lateral movement and further compromise.

Recommendation

• Block execution of Easy MPEG to DVD Burner 1.7.11 if it is not a required application.
• Monitor process creations for unusual processes originating from Easy MPEG to DVD Burner using the process creation rule below.
• Monitor for unexpected process execution, such as calc.exe (mentioned in the advisory), following the execution of Easy MPEG to DVD Burner 1.7.11.

]]>highadvisorybuffer overflowseh overflowcve-2018-25301https://feed.craftedsignal.io/briefs/2026-04-river-past-seh-overflow/Sun, 05 Apr 2026 21:16:44 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-river-past-seh-overflow/River Past Video Cleaner 7.6.3 contains a structured exception handler buffer overflow vulnerability allowing local attackers to execute arbitrary code by providing a malicious string in the Lame_enc.dll field.River Past Video Cleaner version 7.6.3 is vulnerable to a structured exception handler (SEH) buffer overflow. This vulnerability allows a local attacker to execute arbitrary code on a vulnerable system. The attack involves crafting a malicious input string specifically designed to exploit the way the application handles exceptions related to the Lame_enc.dll library. This vulnerability can be exploited by an unauthenticated, local attacker. A successful exploit results in arbitrary code execution in the context of the application. Defenders should implement detection measures to identify malicious processes spawned by River Past Video Cleaner, or unexpected registry modifications.

Attack Chain

1. A local attacker crafts a malicious input file designed to trigger the buffer overflow.
2. The attacker places the crafted malicious file in a location accessible to River Past Video Cleaner.
3. The attacker executes River Past Video Cleaner and instructs it to process the malicious file.
4. River Past Video Cleaner attempts to load or process the Lame_enc.dll library.
5. Due to the malicious input, a buffer overflow occurs within the structured exception handler of Lame_enc.dll. This overflow overwrites the saved SEH record on the stack.
6. When an exception is triggered (as a result of the overflow), the overwritten SEH record is used.
7. The overwritten SEH record redirects execution to attacker-controlled shellcode.
8. The attacker’s shellcode executes, potentially granting the attacker arbitrary code execution within the context of the River Past Video Cleaner process.

Impact

Successful exploitation of this vulnerability allows a local attacker to execute arbitrary code on the victim’s machine. This could lead to complete system compromise, data theft, or installation of malware. The vulnerability is specific to River Past Video Cleaner 7.6.3. While specific victim counts are unavailable, the potential impact on any system running the vulnerable software is significant.

Recommendation

• Monitor process creations where the parent process is RiverPastVideoCleaner.exe, and the child process is unusual or suspicious (e.g., cmd.exe, powershell.exe) using process creation logs (logsource: process_creation). Deploy the Sigma rule provided to detect potentially malicious child processes.
• Implement application control policies to prevent the execution of unsigned or untrusted executables in directories associated with River Past Video Cleaner.
• Monitor for unexpected registry modifications performed by RiverPastVideoCleaner.exe (logsource: registry_set). The provided Sigma rule detects potentially malicious registry modifications.

]]>highadvisorycve-2019-25670buffer-overflowseh-overflowwindowshttps://feed.craftedsignal.io/briefs/2026-03-flexhex-overflow/Tue, 24 Mar 2026 12:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-flexhex-overflow/FlexHEX 2.71 is vulnerable to a local buffer overflow in the Stream Name field, allowing local attackers to execute arbitrary code via a structured exception handler (SEH) overflow.<p>FlexHEX 2.71 is susceptible to a local buffer overflow vulnerability (CVE-2019-25627) found within the Stream Name field. This flaw enables a local attacker to execute arbitrary code by exploiting a structured exception handler (SEH) overflow. The attack involves crafting a malicious text file containing precisely aligned shellcode and SEH chain pointers. By pasting this crafted content into the Stream Name dialog within FlexHEX, the attacker can trigger the SEH overflow and execute commands…</p> highadvisorybuffer-overflowseh-overflowlocal-privilege-escalationwindowshttps://feed.craftedsignal.io/briefs/2026-03-dap-seh-overflow/Tue, 24 Mar 2026 12:16:02 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-dap-seh-overflow/Download Accelerator Plus DAP 10.0.6.0 is vulnerable to a structured exception handler buffer overflow, allowing remote attackers to execute arbitrary code via malicious crafted URLs by overwriting SEH pointers and executing embedded shellcode.Download Accelerator Plus (DAP) version 10.0.6.0 is susceptible to a critical structured exception handler (SEH) buffer overflow vulnerability, identified as CVE-2019-25628. This vulnerability allows remote attackers to achieve arbitrary code execution by crafting malicious URLs. The attack leverages the application’s web page import functionality to introduce the malicious URL. Successful exploitation allows attackers to overwrite SEH pointers, redirecting execution flow to attacker-controlled shellcode. This vulnerability poses a significant risk to users of the affected DAP version, potentially leading to complete system compromise. The vulnerability was reported and analyzed by VulnCheck.

Attack Chain

1. Attacker crafts a malicious URL containing overflowing buffer data designed to overwrite the SEH pointers.
2. The victim uses the Download Accelerator Plus 10.0.6.0 application.
3. The attacker delivers the malicious URL to the victim via social engineering or other means.
4. The victim imports the malicious URL through the application’s web page import functionality.
5. The application attempts to process the crafted URL, triggering the buffer overflow.
6. The overflowing buffer overwrites the structured exception handler (SEH) record on the stack.
7. When an exception occurs, the application attempts to use the overwritten SEH pointer.
8. Control is transferred to the attacker-controlled shellcode embedded in the malicious URL, leading to arbitrary code execution.

Impact

Successful exploitation of this vulnerability (CVE-2019-25628) allows a remote attacker to execute arbitrary code on the victim’s system. Given the critical severity score (CVSS v3.1: 9.8), the impact is significant. Affected systems are completely compromised, allowing the attacker to install malware, steal sensitive information, or pivot to other systems on the network. The number of potential victims is unknown, but all users of Download Accelerator Plus 10.0.6.0 are at risk.

Recommendation

• Discontinue the use of Download Accelerator Plus DAP 10.0.6.0 due to the unpatched SEH buffer overflow vulnerability (CVE-2019-25628).
• Monitor network traffic for connections to the URLs associated with the vulnerability (e.g., http://www.speedbit.com/dap/, https://www.exploit-db.com/exploits/46673). Block these domains at the network perimeter.
• Implement a network detection rule to identify HTTP requests containing unusually long URLs that might be exploiting the buffer overflow. This will require analyzing webserver or proxy logs.

]]>criticaladvisorycve-2019-25628buffer-overflowseh-overflowhttps://feed.craftedsignal.io/briefs/2026-03-tuneclone-seh-overflow/Mon, 23 Mar 2026 12:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-03-tuneclone-seh-overflow/TuneClone 2.20 is vulnerable to a structured exception handler (SEH) buffer overflow, allowing local attackers to execute arbitrary code by supplying a malicious license code string via the application's license registration feature.<p>TuneClone 2.20 is susceptible to a structured exception handler (SEH) buffer overflow vulnerability identified as CVE-2019-25603. A local attacker can exploit this vulnerability by providing a specially crafted license code string to the application. The vulnerability exists due to insufficient bounds checking when processing the license code, allowing an attacker to overwrite the SEH chain. The attacker supplied input allows for arbitrary code execution by overwriting exception handlers…</p> criticaladvisorycve-2019-25603seh-overflowbuffer-overflowcode-execution