Executive Summary

CVE-2019-25629 is a structured exception handler (SEH) buffer overflow vulnerability in AIDA64 Extreme version 5.99.4900. It occurs in the logging functionality when the application processes a malicious CSV log file path. Local attackers can inject shellcode through the Hardware Monitoring logging preferences, causing a buffer overflow that triggers arbitrary code execution when the application exits properly.

The exploit involves crafting a specially designed input that overwrites the SEH, redirecting execution flow to attacker-supplied shellcode. This shellcode can execute arbitrary commands on the affected Windows system.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows a local attacker to execute arbitrary code on the affected system with high impact on confidentiality, integrity, and availability. An attacker can run malicious code, potentially leading to system compromise, data theft, or disruption of services.

• Execution of arbitrary code with high privileges.
• Potential local privilege escalation.
• Compromise of system confidentiality, integrity, and availability.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability is a local buffer overflow in the AIDA64 Extreme 5.99.4900 application related to its logging functionality. Detection involves checking if the application is configured to log sensor readings to a CSV file path that could be maliciously crafted.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts or presence of malicious payloads, you can inspect the Hardware Monitoring logging preferences in AIDA64 Extreme for suspicious or unusually long CSV log file paths that may contain shellcode or buffer overflow payloads.'}, {'type': 'paragraph', 'content': 'Since the exploit involves local manipulation of the logging configuration, network detection is limited. However, on the system, you can use commands or scripts to check the configuration files or registry entries related to AIDA64 Extreme logging preferences.'}, {'type': 'list_item', 'content': "Manually review the 'Log sensor reading to CSV log file' field under File → Preferences → Hardware Monitoring → Logging in AIDA64 Extreme for suspicious entries."}, {'type': 'list_item', 'content': 'Use PowerShell or command line to search for unusually long or suspicious strings in configuration files or registry keys related to AIDA64 logging.'}, {'type': 'list_item', 'content': 'Monitor application exit behavior to detect crashes or abnormal termination that could indicate buffer overflow triggering.'}] [1, 2]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include preventing local attackers from modifying the logging preferences in AIDA64 Extreme, especially the CSV log file path.

Restrict local user access to the application and its configuration settings to trusted administrators only.

Avoid using or disable the Hardware Monitoring logging feature in AIDA64 Extreme until a patch or update is available.

Ensure that the application is exited properly via File → Exit to avoid triggering the buffer overflow unintentionally.

Monitor for updates or patches from the vendor or security advisories addressing this vulnerability and apply them as soon as they become available.

Useful 0 Not Useful 0