CVE-2020-37075 Overview
CVE-2020-37075 is a buffer overflow vulnerability in LanSend 3.2 that affects the Add Computers Wizard file import functionality. This vulnerability allows attackers to execute arbitrary code by crafting a malicious payload file that triggers a structured exception handler (SEH) overwrite. When a user imports computers from a specially crafted file, the application fails to properly validate input boundaries, leading to memory corruption and potential shellcode execution.
Critical Impact
Successful exploitation enables arbitrary code execution on the target system through SEH overwrite, allowing attackers to gain complete control of the affected machine.
Affected Products
- LanSend 3.2 (Add Computers Wizard component)
- Lizard Systems LANsend with file import functionality
Discovery Timeline
- 2026-02-03 - CVE CVE-2020-37075 published to NVD
- 2026-02-04 - Last updated in NVD database
Technical Details for CVE-2020-37075
Vulnerability Analysis
This vulnerability is classified under CWE-120 (Buffer Copy without Checking Size of Input), commonly known as a classic buffer overflow. The flaw resides in the Add Computers Wizard functionality of LanSend 3.2, specifically in the code path that handles file imports.
When LanSend processes an import file containing computer entries, it copies user-supplied data into a fixed-size buffer without adequately verifying the length of the input. This allows an attacker to overflow the buffer and overwrite adjacent memory structures, including the Structured Exception Handler (SEH) chain on the stack.
The vulnerability requires local access to the system and user interaction to import the malicious file. Once the buffer overflow corrupts the SEH chain, an exception triggered during processing causes control flow to be redirected to attacker-controlled addresses, enabling arbitrary code execution with the privileges of the LanSend application.
Root Cause
The root cause of CVE-2020-37075 is insufficient input validation in the file import parsing routine. The application uses unsafe string copy operations that do not verify whether the destination buffer can accommodate the source data. When processing computer names or related fields from an import file, the application blindly copies data into a stack-based buffer, creating the overflow condition.
The lack of bounds checking combined with the predictable memory layout allows attackers to craft payloads that precisely overwrite the SEH handler pointer, converting a simple buffer overflow into a reliable code execution primitive.
Attack Vector
The attack requires the following conditions:
- The attacker must craft a malicious import file containing an oversized payload designed to overflow the target buffer
- The payload must include a carefully calculated offset to overwrite the SEH handler pointer
- The victim must be socially engineered to import the malicious file using the Add Computers Wizard feature
- Upon import, the buffer overflow triggers an exception, and the corrupted SEH handler redirects execution to the attacker's shellcode
The local attack vector with user interaction requirement means this vulnerability is most likely to be exploited through social engineering tactics, such as sending the malicious file via email or hosting it on a compromised network share. Technical details and proof-of-concept information are available through Exploit-DB #48461.
Detection Methods for CVE-2020-37075
Indicators of Compromise
- Unusual crash events or exceptions in the LanSend application, particularly during file import operations
- Presence of suspicious import files with unusually large data fields or binary content
- Unexpected child processes spawned by lansend.exe or related executables
- Memory access violations logged in Windows Event Viewer associated with LanSend
Detection Strategies
- Monitor for abnormal file access patterns involving LanSend import files, especially those with unexpected file sizes or content
- Deploy endpoint detection rules to identify SEH exploitation techniques and shellcode execution patterns
- Implement application whitelisting to prevent unauthorized code execution from exploited processes
- Use behavioral analysis to detect anomalous process behavior following LanSend file import operations
Monitoring Recommendations
- Enable detailed application logging for LanSend to capture file import activities and any associated errors
- Configure endpoint protection solutions to alert on buffer overflow exploitation attempts and SEH manipulation
- Monitor network shares and email attachments for potentially malicious LanSend import files
How to Mitigate CVE-2020-37075
Immediate Actions Required
- Restrict access to the LanSend Add Computers Wizard functionality to trusted administrators only
- Implement strict policies prohibiting the import of computer lists from untrusted or unknown sources
- Consider disabling the file import feature if not required for business operations
- Deploy endpoint protection solutions capable of detecting buffer overflow and SEH exploitation attempts
Patch Information
Refer to Lizard Systems LANsend for official vendor updates and any available security patches. The VulnCheck LANsend Buffer Overflow Advisory provides additional technical guidance on addressing this vulnerability.
Organizations should evaluate whether to upgrade to a newer version of LanSend that addresses this vulnerability or consider alternative solutions if no patch is available.
Workarounds
- Remove or disable the Add Computers Wizard file import functionality through application configuration or access controls
- Use application control policies to restrict execution of LanSend to only authorized scenarios
- Implement network segmentation to limit the potential impact of exploitation
- Train users to recognize social engineering attempts and avoid importing files from untrusted sources
# Configuration example - Restrict LanSend execution with Windows AppLocker
# Create a rule to allow LanSend only for specific admin users
# Run in elevated PowerShell
# Verify current AppLocker policy
Get-AppLockerPolicy -Effective -Xml
# Example: Deny execution of lansend.exe for non-admin users
# Configure via Group Policy: Computer Configuration > Windows Settings > Security Settings > Application Control Policies
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
