Prime95 is software that uses your computer's spare processing power to search for rare mathematical numbers. It's popular with tech enthusiasts and researchers, but a serious security flaw has been discovered in version 29.4b8.
Here's the problem: The software has a hidden weak spot in how it handles proxy settings — think of a proxy as a middleman that routes your internet traffic. If you configure a proxy server address manually, an attacker can secretly stuff way too much data into that field. It's like overstuffing a mailbox until it breaks open and spills everywhere.
When this buffer overflows, it corrupts the software's memory in a way that lets attackers slip malicious instructions into your computer. Those instructions run with the same permissions as Prime95, which can be elevated privileges — basically giving someone a master key to your system. They could then steal data, install persistent malware, or cause other damage.
Who's at risk? Mainly people who actively use Prime95 and have configured custom proxy settings. If you've never touched the proxy options, or you're not using Prime95 at all, you're safe. Casual users are unlikely targets, but scientists and distributed computing volunteers should pay attention.
The good news is researchers haven't seen this being weaponized in the wild yet.
Here's what you should do: First, check if you're using Prime95 version 29.4b8 specifically — if so, update to a newer version immediately. Second, avoid manually entering proxy settings unless absolutely necessary, especially in older software versions. Third, if you're running Prime95, check your computer for suspicious activity or malware using a trusted antivirus tool. These simple steps will protect you from this particular threat.
Want the full technical analysis? Click "Technical" above.
Prime95 29.4b8, the widely-used GIMPS distributed computing client, contains a stack-based buffer overflow reachable through the optional proxy hostname field in its PrimeNet connection settings dialog. The overflow is deep enough to clobber the structured exception handling (SEH) chain on the stack, providing a classic SEH-overwrite code execution primitive on Windows x86 builds. CVSS 8.4 (HIGH) reflects local attack surface with high integrity/confidentiality impact and no privileges required beyond the ability to write application configuration.
This is not a network-side vulnerability. The attacker must control the value written into Prime95's configuration — either by social engineering a user into pasting a crafted hostname, by writing directly to prime.ini, or by providing a malicious configuration file. On systems where multiple users share a GIMPS installation or where the ini file is world-writable, the effective attack surface widens.
Root cause:strcpy (or equivalent unbounded copy) into a fixed-size stack buffer during proxy hostname parsing in Prime95's PrimeNet settings handler, with no length validation, allowing overflow of the SEH chain and redirection of execution to attacker-controlled shellcode.
Affected Component
The vulnerable path is inside the PrimeNet options handling code, specifically the routine responsible for reading and validating the proxy server hostname from prime.ini or the settings dialog. Prime95 29.4b8 is the confirmed affected release. The Windows x86 (32-bit) build is most directly exploitable due to SEH chain layout on the stack; Linux/macOS builds using signal handlers rather than Windows SEH are affected by the overflow itself but the exploitation path differs.
Relevant binary artifacts:
prime95.exe — Windows 32-bit GUI client, 29.4b8
mprime — Linux CLI client, same codebase, overflow present
Configuration file: prime.ini, key ProxyHost=
Root Cause Analysis
The proxy hostname is read from prime.ini and passed through a settings-parsing routine before being copied into a stack-allocated buffer for use in socket connection setup. Decompiled pseudocode of the vulnerable function:
// Prime95 29.4b8 — PrimeNet connection setup
// Function: LoadPrimeNetConfig() / proxy_connect_init()
// Located in: network.c (approximate, pre-open-source era)
#define PROXY_HOST_BUF 256 // fixed stack allocation
int proxy_connect_init(const char *ini_path) {
char proxy_host[PROXY_HOST_BUF]; // stack buffer, [ebp-0x108] approx
char proxy_port[16];
char proxy_user[128];
int use_proxy;
use_proxy = IniGetInt(INI_FILE, "ProxyHost", 0);
// BUG: IniGetString copies attacker-controlled value with no length limit
// into fixed 256-byte stack buffer — strcpy semantics, no bounds check
IniGetString(INI_FILE, "ProxyHost", proxy_host, /* maxlen arg absent or ignored */ 0);
// ^^^^^^^^^^ destination is 256 bytes
// source can be arbitrarily long
IniGetString(INI_FILE, "ProxyPort", proxy_port, sizeof(proxy_port));
// ... rest of setup
return connect_via_proxy(proxy_host, atoi(proxy_port));
}
IniGetString internally calls GetPrivateProfileString on Windows (or a custom parser on Linux) and then performs an unbounded strcpy into the caller-supplied buffer when the maxlen argument is zero or the wrapper omits the guard. The result is a classic stack smash: any ProxyHost value longer than ~256 bytes walks off the buffer and into adjacent stack frames.
Memory Layout
On Windows x86, the stack frame during proxy_connect_init looks like this. SEH chain records sit at a predictable offset above the local buffers:
Classic SEH-based exploitation on a 32-bit Windows target without SafeSEH coverage of the affected module (or using a non-SafeSEH DLL as the handler gadget source):
EXPLOIT CHAIN:
1. Attacker writes crafted prime.ini (or modifies existing one):
ProxyHost=<256 bytes junk>
2. Prime95 launches and calls proxy_connect_init() on startup
or when user opens PrimeNet options dialog.
3. IniGetString() reads ProxyHost value, performs unbounded strcpy
into proxy_host[256] on stack — overflow occurs immediately.
4. Function returns normally OR an exception is triggered by the
corrupted stack during cleanup / argument validation downstream.
5. If exception fires: Windows walks the SEH chain, finds the
attacker-controlled _EXCEPTION_REGISTRATION record on the stack.
SEH.Handler is called with ptr to EXCEPTION_RECORD and
EstablisherFrame.
6. SEH.Handler points to a "POP POP RET" gadget in a loaded module
(e.g., non-SafeSEH runtime DLL):
POP reg1 ; discard ExceptionRecord ptr
POP reg2 ; discard EstablisherFrame ptr
RET ; return to address on stack = SEH.Next
; SEH.Next was set to \xEB\x06\x90\x90
; (short JMP +6 past the handler ptr)
7. Short JMP lands in NOP sled immediately following the SEH record.
8. NOP sled reaches shellcode — arbitrary code executes in the
security context of the Prime95 process (typically the logged-in user).
9. Example payload: cmd.exe /c calc.exe (PoC)
Production payload: reverse shell, persistence dropper, etc.
The POP POP RET gadget approach is necessary because Windows exception dispatch calls the handler with two arguments on the stack; the gadget pivots execution back to SEH.Next, which is repurposed as a short jump to shellcode. Any loaded module lacking /SAFESEH or /DYNAMICBASE is a candidate gadget source — common in legacy GIMPS builds which link against older CRT versions.
# CVE-2018-25299 — Prime95 29.4b8 SEH overwrite PoC (Windows x86)
# For research and detection purposes only.
import struct
# POP POP RET gadget — must come from a non-SafeSEH module loaded by prime95
# Replace with actual address from target environment
PPR_GADGET = struct.pack("
Patch Analysis
The fix is straightforward: enforce a maximum length when copying the ini value into the stack buffer. Post-29.4b8 versions pass the buffer size explicitly to IniGetString which then uses strncpy or GetPrivateProfileString's built-in nSize parameter correctly:
// BEFORE (vulnerable, Prime95 29.4b8):
IniGetString(INI_FILE, "ProxyHost", proxy_host, 0);
// ^ zero = no length enforcement
// internally: strcpy(dest, src) — unbounded
// AFTER (patched):
IniGetString(INI_FILE, "ProxyHost", proxy_host, sizeof(proxy_host));
// ^^^^^^^^^^^^^^^^^^
// internally: GetPrivateProfileStringA(section, key, default,
// proxy_host, sizeof(proxy_host), ini_path);
// Windows API enforces nSize — truncates at 255 chars + NUL terminator
// Additional defensive change in IniGetString wrapper:
void IniGetString(const char *file, const char *key,
char *buf, size_t bufsz) {
if (bufsz == 0) return; // guard against legacy callers
GetPrivateProfileStringA("PrimeNet", key, "", buf, (DWORD)bufsz, file);
buf[bufsz - 1] = '\0'; // belt-and-suspenders NUL termination
}
The patch also adds input validation in the settings dialog UI: the proxy hostname edit control is now limited to 255 characters via SendMessage(hwnd, EM_SETLIMITTEXT, 255, 0), providing a second layer of defense for interactive use. This does not protect against direct prime.ini manipulation, making the IniGetString fix the load-bearing change.
Detection and Indicators
Static detection on prime.ini:
ProxyHost value exceeding 255 characters is anomalous — no legitimate hostname approaches this length.
Non-printable bytes or binary sequences in ProxyHost are definitive indicators of tampering.
Runtime detection:
Any crash of prime95.exe with EIP or SEH.Handler containing 0x41414141/0x42424242 patterns indicates active exploitation attempt.
Windows Event Log: Application Error, faulting module prime95.exe, exception code 0xC0000005 (ACCESS_VIOLATION) with offset pointing outside known code sections.
File integrity monitoring on prime.ini: alert on modifications where ProxyHost field length > 64 bytes.
Upgrade immediately to the latest Prime95/mprime release. The vendor addressed this in versions beyond 29.4b8 — check the GIMPS download page for current build.
Restrict prime.ini permissions to the owning user account (icacls prime.ini /inheritance:r /grant %USERNAME%:F on Windows). Prevent other local users from modifying the configuration file directly.
Validate existing configurations: audit ProxyHost entries in any deployed prime.ini files. Flag any value longer than 64 characters for manual review.
Enable ASLR/DEP: while present in modern Windows, verify Prime95 is launched under full DEP policy (OptOut or per-process opt-in) which raises the exploitation bar significantly even on unpatched builds.
For managed GIMPS deployments, distribute configuration via controlled channels and use file integrity monitoring to detect unauthorized prime.ini modification.