CVE-2018-25213
Structured Exception Handling Buffer Overflow in Nsauditor DNS Lookup Enables Code Execution
Publication date: 2026-03-26
Last updated on: 2026-05-01
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nsasoft | nsauditor | to 3.2.7 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows local attackers to execute arbitrary code with application privileges, which can lead to unauthorized access, modification, or disruption of data handled by the application.
Such unauthorized code execution and potential data compromise can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of confidentiality, integrity, and availability of sensitive data.
However, the provided information does not explicitly discuss the direct impact on compliance frameworks or specific regulatory requirements.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the vulnerability in Nsauditor 3.0.28.0, immediately avoid using the DNS Lookup tool with untrusted input, as this is the attack vector for the buffer overflow.
Restrict local access to the affected system to prevent attackers from supplying malicious input to the DNS Query field.
Monitor for any suspicious activity or unexpected network connections, especially on port 3110, which is used by the exploit's bind shell.
If possible, update or patch the application to a version that addresses this vulnerability or consider using alternative tools until a fix is available.
Can you explain this vulnerability to me?
CVE-2018-25213 is a local structured exception handling (SEH) buffer overflow vulnerability in Nsauditor version 3.0.28.0. It occurs in the DNS Lookup tool where an attacker can supply malicious input to the DNS Query field. This crafted input overwrites the SEH chain, allowing the attacker to inject and execute arbitrary code with the same privileges as the application.
The exploit involves creating a specially crafted payload that includes a buffer overflow, SEH overwrite, and shellcode injection. When the payload is processed by the DNS Lookup tool, it triggers the overflow and redirects execution to the injected shellcode.
How can this vulnerability impact me? :
This vulnerability allows a local attacker to execute arbitrary code on the affected system with the same privileges as the Nsauditor application. This can lead to full compromise of the application, potentially allowing the attacker to run malicious commands, install malware, or gain further access to the system.
The CVSS v4 base score of 8.6 reflects a high impact on confidentiality, integrity, and availability, meaning the attacker can access sensitive information, modify data, or disrupt system operations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to reproduce the exploit locally on a system running Nsauditor 3.0.28.0. The exploit involves injecting a crafted payload into the DNS Lookup tool's DNS Query field to trigger a structured exception handling buffer overflow.
- Run the provided Python script (Nsauditor.py) to generate a malicious payload file named EVIL.txt.
- Open Nsauditor and navigate to Tools > DNS Lookup.
- Paste the contents of EVIL.txt into the DNS Query field.
- Click "Resolve" to trigger the overflow.
- Use a command like `nc <target_ip> 3110` (Netcat) to connect to the bind shell opened by the exploit, confirming successful code execution.