Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Malwarebytes Anti-Exploit Upgrade Mechanism Vulnerable to MitM Attacks

The upgrade mechanism in older versions of Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit is plagued by a vulnerability that can be exploited to load malicious code on affected systems.

The upgrade mechanism in older versions of Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit is plagued by a vulnerability that can be exploited to load malicious code on affected systems.

The bug (CVE-2014-4936) was identified by Yonathan Klijnsma, a researcher with Netherlands-based security firm Fox-IT. The vulnerability affects the consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier. Business versions are not impacted.

According to Klijnsma, affected versions of Malwarebytes Anti-Exploit and Malwarebytes Anti-Malware are upgraded over a HTTP connection and they don’t use a proper package validation system to ensure that updates are legitimate. Because the application doesn’t verify the installer, an attacker can serve any Windows PE file and it will get executed with full administrative privileges on the victim’s system.

Both solutions are affected by the flaw because they rely on the same process. The only difference is in the requests for checking the version and getting the update.

The security software is designed to get updates from the Malwarebytes CDN (data-cdn.mbamupdates.com). In order to inject his payload, the attacker needs to intercept the DNS requests for the CDN. This can be accomplished by using various methods, including changing DNS adapter settings, changing the Windows host file to override DNS, and by performing a DHCP spoofing attack.

In his experiments, in which the attacker’s machine was running Kali Linux and the victim’s machine was running Windows XP, Klijnsma used a DHCP spoofing attack to reroute requests from the Malwarebytes product to the “malicious” server.

By launching a man-in-the-middle (MitM) attack, the expert was able to get the security software to download and execute an arbitrary file, and take over the targeted device.

The expert reported the Malwarebytes Anti-Malware vulnerability in mid-July and it was addressed on October 3 with the release of version 2.0.3. In the case of Malwarebytes Anti-Exploit, the flaw was reported on August 21, and it was patched in early September with the release of version 1.04.1.1012.

The security firm has added Klijnsma’s name to its hall of fame, the page where it acknowledges the work of independent researchers who help find and fix flaws in Malwarebytes products.

Pedro Bustamante, Director of Special Projects at Malwarebytes, says the company hasn’t seen any evidence that the vulnerability reported by the researcher has been exploited in the wild.

“We work closely with external researchers, and are grateful for the opportunity to improve our products,” Bustamante told SecurityWeek.

Klijnsma has been involved in the analysis of CryptoPHP, a campaign in which attackers use a backdoor to hijack websites powered by Joomla, WordPress and Drupal, and abuse them for black hat SEO.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.