Malwarebytes Anti-Exploit Upgrade Mechanism Vulnerable to MitM Attacks

The upgrade mechanism in older versions of Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit is plagued by a vulnerability that can be exploited to load malicious code on affected systems.

The bug (CVE-2014-4936) was identified by Yonathan Klijnsma, a researcher with Netherlands-based security firm Fox-IT. The vulnerability affects the consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier. Business versions are not impacted.

According to Klijnsma, affected versions of Malwarebytes Anti-Exploit and Malwarebytes Anti-Malware are upgraded over a HTTP connection and they don’t use a proper package validation system to ensure that updates are legitimate. Because the application doesn’t verify the installer, an attacker can serve any Windows PE file and it will get executed with full administrative privileges on the victim’s system.

Both solutions are affected by the flaw because they rely on the same process. The only difference is in the requests for checking the version and getting the update.

The security software is designed to get updates from the Malwarebytes CDN (data-cdn.mbamupdates.com). In order to inject his payload, the attacker needs to intercept the DNS requests for the CDN. This can be accomplished by using various methods, including changing DNS adapter settings, changing the Windows host file to override DNS, and by performing a DHCP spoofing attack.

In his experiments, in which the attacker’s machine was running Kali Linux and the victim’s machine was running Windows XP, Klijnsma used a DHCP spoofing attack to reroute requests from the Malwarebytes product to the “malicious” server.

By launching a man-in-the-middle (MitM) attack, the expert was able to get the security software to download and execute an arbitrary file, and take over the targeted device.

The expert reported the Malwarebytes Anti-Malware vulnerability in mid-July and it was addressed on October 3 with the release of version 2.0.3. In the case of Malwarebytes Anti-Exploit, the flaw was reported on August 21, and it was patched in early September with the release of version 1.04.1.1012.

The security firm has added Klijnsma’s name to its hall of fame, the page where it acknowledges the work of independent researchers who help find and fix flaws in Malwarebytes products.

Pedro Bustamante, Director of Special Projects at Malwarebytes, says the company hasn’t seen any evidence that the vulnerability reported by the researcher has been exploited in the wild.

“We work closely with external researchers, and are grateful for the opportunity to improve our products,” Bustamante told SecurityWeek.

Klijnsma has been involved in the analysis of CryptoPHP, a campaign in which attackers use a backdoor to hijack websites powered by Joomla, WordPress and Drupal, and abuse them for black hat SEO.