{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/seh-overwrite/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2018-25304"}],"_cs_exploited":false,"_cs_products":["Free Download Manager 2.0"],"_cs_severities":["critical"],"_cs_tags":["buffer-overflow","seh-overwrite","code-execution","cve-2018-25304"],"_cs_type":"advisory","_cs_vendors":["Free Download Manager"],"content_html":"\u003cp\u003eFree Download Manager (FDM) version 2.0 Built 417 is susceptible to a local buffer overflow vulnerability (CVE-2018-25304) within its URL import functionality. This vulnerability, discovered and reported by VulnCheck, allows an attacker to craft a malicious URL file. When a user imports this specially crafted file through the \u0026ldquo;File \u0026gt; Import \u0026gt; Import lists of downloads\u0026rdquo; menu, the application attempts to process the \u0026lsquo;Location\u0026rsquo; header response, triggering a buffer overflow. This overflow overwrites the Structured Exception Handler (SEH) chain, enabling the attacker to execute arbitrary code within the context of the FDM process. This vulnerability can be exploited locally by tricking a user into importing a malicious file.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious \u003ccode\u003e.url\u003c/code\u003e file containing an overly long \u003ccode\u003eLocation\u003c/code\u003e header value designed to cause a buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe victim is convinced to download the malicious \u003ccode\u003e.url\u003c/code\u003e file (e.g., through social engineering).\u003c/li\u003e\n\u003cli\u003eThe victim opens Free Download Manager 2.0 Built 417.\u003c/li\u003e\n\u003cli\u003eThe victim navigates to \u0026ldquo;File \u0026gt; Import \u0026gt; Import lists of downloads\u0026rdquo; within FDM.\u003c/li\u003e\n\u003cli\u003eThe victim selects the downloaded malicious \u003ccode\u003e.url\u003c/code\u003e file and initiates the import process.\u003c/li\u003e\n\u003cli\u003eFDM parses the malicious \u003ccode\u003e.url\u003c/code\u003e file and attempts to process the long \u003ccode\u003eLocation\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe excessively long \u003ccode\u003eLocation\u003c/code\u003e header causes a buffer overflow, overwriting the SEH chain.\u003c/li\u003e\n\u003cli\u003eWhen an exception is triggered (due to the overflow), the overwritten SEH chain is used to redirect execution to attacker-controlled code, resulting in arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this buffer overflow vulnerability allows an attacker to execute arbitrary code on the victim\u0026rsquo;s system with the privileges of the Free Download Manager process. This could lead to complete system compromise, data theft, or installation of malware. While specific victim counts are unavailable, the vulnerability poses a significant risk to users of Free Download Manager 2.0 Built 417.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor for process creation events originating from Free Download Manager after importing a \u003ccode\u003e.url\u003c/code\u003e file to detect potential exploitation attempts (see Sigma rule \u0026ldquo;Detect Free Download Manager Suspicious Process Creation After Import\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement file integrity monitoring (FIM) on the Free Download Manager executable directory to detect unauthorized modifications potentially related to exploitation.\u003c/li\u003e\n\u003cli\u003eConsider using application control solutions to restrict the execution of unsigned or untrusted code within the Free Download Manager process.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:25Z","date_published":"2026-04-29T20:16:25Z","id":"/briefs/2026-04-fdm-buffer-overflow/","summary":"Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain exploitation, leading to arbitrary code execution.","title":"Free Download Manager 2.0 Built 417 Local Buffer Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-04-fdm-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2018-25303"}],"_cs_exploited":false,"_cs_products":["Allok Video to DVD Burner 2.6.1217"],"_cs_severities":["high"],"_cs_tags":["cve","buffer overflow","seh overwrite"],"_cs_type":"advisory","_cs_vendors":["AllokSoft"],"content_html":"\u003cp\u003eA stack-based buffer overflow vulnerability exists in Allok Video to DVD Burner version 2.6.1217. This vulnerability, identified as CVE-2018-25303, resides within the \u0026ldquo;License Name\u0026rdquo; field of the application. A local attacker can exploit this flaw by crafting a malicious input designed to overwrite the Structured Exception Handler (SEH). Successful exploitation enables the attacker to execute arbitrary code within the context of the application. The vulnerability was reported on 2026-04-29. This is important for defenders because successful exploitation can lead to complete system compromise on vulnerable machines.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker gains local access to a system with Allok Video to DVD Burner 2.6.1217 installed.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input string consisting of 780 bytes of arbitrary data.\u003c/li\u003e\n\u003cli\u003eThe attacker appends SEH chain pointers and shellcode to the crafted input string.\u003c/li\u003e\n\u003cli\u003eThe attacker opens the Allok Video to DVD Burner application and navigates to the registration window.\u003c/li\u003e\n\u003cli\u003eThe attacker pastes the malicious input string into the \u0026ldquo;License Name\u0026rdquo; field.\u003c/li\u003e\n\u003cli\u003eThe application attempts to process the oversized input, triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe SEH is overwritten with the attacker\u0026rsquo;s controlled pointers.\u003c/li\u003e\n\u003cli\u003eThe shellcode is executed, giving the attacker arbitrary code execution on the system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code within the context of the Allok Video to DVD Burner application. This could lead to complete system compromise, including data theft, installation of malware, or other malicious activities. The vulnerability affects version 2.6.1217 of the software. The number of potential victims depends on the number of installations of the vulnerable software.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor process creations for Allok Video to DVD Burner and unusual child processes using the process creation rule below.\u003c/li\u003e\n\u003cli\u003eMonitor for registry modifications performed by the vulnerable application that may indicate persistence.\u003c/li\u003e\n\u003cli\u003eDue to the age of the application, consider whether it should continue to be used within the environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:25Z","date_published":"2026-04-29T20:16:25Z","id":"/briefs/2026-04-allok-video-buffer-overflow/","summary":"Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability (CVE-2018-25303) in the License Name field, allowing a local attacker to execute arbitrary code by triggering a structured exception handler (SEH) overwrite.","title":"Allok Video to DVD Burner Stack-Based Buffer Overflow Vulnerability (CVE-2018-25303)","url":"https://feed.craftedsignal.io/briefs/2026-04-allok-video-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[{"cvss":8.4,"id":"CVE-2019-25656"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","seh-overwrite","code-execution","cve-2019-25656","windows"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eR i386 version 3.5.0 contains a local buffer overflow vulnerability, identified as CVE-2019-25656, within the GUI Preferences dialog. This vulnerability allows a local attacker to achieve arbitrary code execution by exploiting a buffer overflow when the application processes user-supplied input in the \u0026lsquo;Language for menus and messages\u0026rsquo; field. By crafting a malicious payload string, an attacker can overwrite the Structured Exception Handler (SEH) records. Successful exploitation would allow attackers to execute arbitrary code with the privileges of the user running the application. This poses a significant risk to systems running this vulnerable version of R, potentially leading to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker gains local access to a Windows system running R i386 3.5.0.\u003c/li\u003e\n\u003cli\u003eAttacker opens the R application.\u003c/li\u003e\n\u003cli\u003eAttacker navigates to the GUI Preferences dialog within the R application.\u003c/li\u003e\n\u003cli\u003eAttacker identifies the \u0026lsquo;Language for menus and messages\u0026rsquo; field within the GUI Preferences.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious payload string designed to overwrite SEH records, including shellcode for arbitrary code execution.\u003c/li\u003e\n\u003cli\u003eAttacker inputs the malicious string into the \u0026lsquo;Language for menus and messages\u0026rsquo; field.\u003c/li\u003e\n\u003cli\u003eThe R application attempts to process the attacker-supplied string without proper bounds checking, triggering the buffer overflow.\u003c/li\u003e\n\u003cli\u003eThe crafted payload overwrites the SEH record, redirecting execution flow to the attacker-controlled shellcode, resulting in arbitrary code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows a local attacker to execute arbitrary code on the targeted system. The impact includes potential privilege escalation, allowing the attacker to perform actions with the same privileges as the user running the R application. This could lead to the installation of malware, data exfiltration, or complete system compromise. While specific victim numbers are not available, any system running the vulnerable R i386 3.5.0 is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade R to a version higher than 3.5.0 to patch CVE-2019-25656.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the execution of R with a modified command line containing long strings to identify potential exploit attempts.\u003c/li\u003e\n\u003cli\u003eMonitor network connections originating from R processes for suspicious outbound traffic using network connection logs.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule to detect abnormal process execution originating from the R application to catch potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-05T21:16:42Z","date_published":"2026-04-05T21:16:42Z","id":"/briefs/2026-04-r-buffer-overflow/","summary":"R i386 version 3.5.0 is susceptible to a local buffer overflow in the GUI Preferences dialog, allowing a local attacker to overwrite the structured exception handler (SEH) by supplying a malicious string to the 'Language for menus and messages' field, leading to arbitrary code execution.","title":"R i386 3.5.0 Local Buffer Overflow Vulnerability (CVE-2019-25656)","url":"https://feed.craftedsignal.io/briefs/2026-04-r-buffer-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["cve-2019-25634","buffer-overflow","seh-overwrite","code-execution"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eBase64 Decoder version 1.1.2 is susceptible to a stack-based buffer overflow vulnerability, identified as CVE-2019-25634. This flaw enables a local attacker to execute arbitrary code on a vulnerable system. The vulnerability arises from insufficient bounds checking when processing input, allowing an attacker to overwrite critical parts of the stack. Successful exploitation requires the attacker to craft a malicious input file specifically designed to trigger the overflow. The impact of this…\u003c/p\u003e\n","date_modified":"2026-03-24T12:16:04Z","date_published":"2026-03-24T12:16:04Z","id":"/briefs/2026-03-base64-decoder-overflow/","summary":"Base64 Decoder 1.1.2 is vulnerable to a stack-based buffer overflow (CVE-2019-25634) allowing local attackers to achieve arbitrary code execution via a crafted input file that triggers an SEH overwrite.","title":"Base64 Decoder 1.1.2 Stack-Based Buffer Overflow (CVE-2019-25634)","url":"https://feed.craftedsignal.io/briefs/2026-03-base64-decoder-overflow/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["buffer-overflow","seh-overwrite","cve-2019-25604","dvdxplayer"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eDVDXPlayer Pro 5.5 is susceptible to a local buffer overflow vulnerability (CVE-2019-25604) that can be exploited by local attackers. This vulnerability allows for arbitrary code execution through the creation of specially crafted playlist files (.plf). The attack involves overflowing a buffer and hijacking the Structured Exception Handling (SEH) chain to execute attacker-controlled code within the context of the application. The vulnerability was reported in March 2026. Successful exploitation…\u003c/p\u003e\n","date_modified":"2026-03-23T12:00:00Z","date_published":"2026-03-23T12:00:00Z","id":"/briefs/2026-03-dvdxplayer-bof/","summary":"DVDXPlayer Pro 5.5 is vulnerable to a local buffer overflow, allowing local attackers to execute arbitrary code by crafting malicious playlist files.","title":"DVDXPlayer Pro 5.5 Local Buffer Overflow Vulnerability (CVE-2019-25604)","url":"https://feed.craftedsignal.io/briefs/2026-03-dvdxplayer-bof/"}],"language":"en","title":"CraftedSignal Threat Feed — Seh-Overwrite","version":"https://jsonfeed.org/version/1.1"}