CVE-2019-16724
published 2019-09-24CVE-2019-16724: File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow…
PriorityP275critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
72.16%
99.4th percentile
File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| upredsun | file_sharing_wizard | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes
|eb 32 90 90 7f a6 38 7c|
snort
alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET FILE_SHARING File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)"; flow:established,to_server; content:"|eb 32 90 90 7f a6 38 7c|"; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a 0d 0a|"; distance:3; within:4; reference:cve,2019-16724; classtype:attempted-admin; sid:2034092; rev:3; metadata:attack_target Server, created_at 2021_10_01, cve CVE_2019_16724, deployment Perimeter, deployment Internal, former_category EXPLOIT, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application;)
- →The exploit triggers a SEH-based buffer overflow via an HTTP POST request. The NSEH value (short JMP forward 32 bytes: 0x909032EB / bytes EB 32 90 90) and SEH overwrite (POP POP RET gadget at 0x7c38a67f / bytes 7F A6 38 7C from MSVCR71.dll) appear contiguously in the payload. The Snort/ET rule fast-pattern byte sequence |eb 32 90 90 7f a6 38 7c| is the primary network detection anchor.
- →The SEH overwrite occurs at a fixed offset of 1044 bytes into the POST request body ('overflowed SEH handler - 42386942 : [*] Exact match at offset 1044'). Network sensors should flag POST requests to HTTP servers where the body contains this offset pattern. ↗
- →The gadget used for SEH overwrite (POP ECX # POP ECX # RET) resides in MSVCR71.dll, which is loaded without ASLR, Rebase, or SafeSEH protections. Presence of this DLL in the File Sharing Wizard process without those mitigations is a prerequisite for exploitation. ↗
- →A similar exploit vector exists via the HTTP DELETE method (CVE-2019-17415), so detection rules should also cover DELETE requests with the same SEH byte pattern to the same target application. ↗
- ·The Snort/ET rule (sid:2034092) targets inbound traffic to $HOME_NET and $HTTP_SERVERS. Ensure these variables are correctly scoped to include hosts running File Sharing Wizard 1.5.0 to avoid missed detections.
- ·The only bad character for the shellcode is \x00 (null byte). Payload variants may encode differently but must avoid null bytes; detection signatures relying solely on shellcode bytes may be evaded by re-encoding. ↗
- ·The exploit was tested on Windows 7 only. Behavior on other Windows versions may differ, and the fixed ROP gadget address (0x7c38a67f in MSVCR71.dll) is version-specific (v7.10.6030.0). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-5295-c598-qcfh: File Sharing Wizard version 1
ghsa_unreviewed·2022-05-24·CVSS 9.3
CVE-2019-18655 [CRITICAL] CWE-787 GHSA-5295-c598-qcfh: File Sharing Wizard version 1
File Sharing Wizard version 1.5.0 build 2008 is affected by a Structured Exception Handler based buffer overflow vulnerability. An unauthenticated attacker is able to perform remote command execution and obtain a command shell by sending a HTTP GET request including the malicious payload in the URL. A similar issue to CVE-2019-17415, CVE-2019-16724, and CVE-2010-2331.
GHSA
GHSA-g59r-5x5x-93wp: A Structured Exception Handler (SEH) based buffer overflow in File Sharing Wizard 1
ghsa_unreviewed·2022-05-24·CVSS 9.3
CVE-2019-17415 [CRITICAL] CWE-120 GHSA-g59r-5x5x-93wp: A Structured Exception Handler (SEH) based buffer overflow in File Sharing Wizard 1
A Structured Exception Handler (SEH) based buffer overflow in File Sharing Wizard 1.5.0 26-8-2008 allows remote unauthenticated attackers to execute arbitrary code via the HTTP DELETE method, a similar issue to CVE-2019-16724 and CVE-2010-2331.
GHSA
GHSA-cchr-8cq4-867h: File Sharing Wizard 1
ghsa_unreviewed·2022-05-24·CVSS 9.3
CVE-2019-16724 [CRITICAL] CWE-120 GHSA-cchr-8cq4-867h: File Sharing Wizard 1
File Sharing Wizard 1.5.0 allows a remote attacker to obtain arbitrary code execution by exploiting a Structured Exception Handler (SEH) based buffer overflow in an HTTP POST parameter, a similar issue to CVE-2010-2330 and CVE-2010-2331.
Suricata
ET FILE_SHARING File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)
suricata·2021-10-01·CVSS 9.8
CVE-2019-16724 [CRITICAL] ET FILE_SHARING File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)
ET FILE_SHARING File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)
Rule: alert tcp any any -> [$HOME_NET,$HTTP_SERVERS] any (msg:"ET FILE_SHARING File Sharing Wizard 1.5.0 - SEH Overflow Inbound (CVE-2019-16724)"; flow:established,to_server; content:"|eb 32 90 90 7f a6 38 7c|"; fast_pattern; content:"|20|HTTP/"; distance:0; content:"|0d 0a 0d 0a|"; distance:3; within:4; reference:cve,2019-16724; classtype:attempted-admin; sid:2034092; rev:3; metadata:attack_target Server, created_at 2021_10_01, cve CVE_2019_16724, deployment Perimeter, deployment Internal, former_category EXPLOIT, confidence Medium, signature_severity Major, tag Exploit, updated_at 2024_06_12, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Pu
No writeups or analysis indexed.
http://packetstormsecurity.com/files/154586/File-Sharing-Wizard-1.5.0-SEH-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/154777/File-Sharing-Wizard-1.5.0-POST-SEH-Overflow.htmlhttps://www.exploit-db.com/exploits/47412http://packetstormsecurity.com/files/154586/File-Sharing-Wizard-1.5.0-SEH-Buffer-Overflow.htmlhttp://packetstormsecurity.com/files/154777/File-Sharing-Wizard-1.5.0-POST-SEH-Overflow.htmlhttps://www.exploit-db.com/exploits/47412
2019-09-24
Published