Malwarebytes Antivirus Memory Corruption Vulnerability

vendor:

Malwarebytes Anti-Malware

by:

Francis Provencher of COSIG

7,5

CVSS

HIGH

Memory Corruption

119

CWE

Product Name: Malwarebytes Anti-Malware

Affected Version From: 2.2.0

Affected Version To: 2.2.0

Patch Exists: Yes

Related CWE: No CVE have been assigned

CPE: a:malwarebytes:malwarebytes_anti-malware

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2015

Malwarebytes Antivirus Memory Corruption Vulnerability

When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

Mitigation:

Malwarebytes released a patch for this issue

Source

Exploit-DB raw data:

#####################################################################################

Application:   Malwarebytes Antivirus
Platforms:   Windows
Versions:   2.2.0.
CVE:   No CVE have been assigned
Author:   Francis Provencher of COSIG
Twitter:   @COSIG_
#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner.

(http://www.oracle.com/us/technologies/embedded/025613.htm)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-28: Francis Provencher of COSIG found the issue;
2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes;
2015-12-02: Malwarebytes release a patch for this issue;

#####################################################################################

============================
3) Technical details
============================

When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

#####################################################################################

===========

4) POC
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38858.exe