CVE-2014-4936
published 2014-12-16CVE-2014-4936: The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow…
PriorityP264critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
16.78%
96.6th percentile
The upgrade functionality in Malwarebytes Anti-Malware (MBAM) consumer before 2.0.3 and Malwarebytes Anti-Exploit (MBAE) consumer 1.04.1.1012 and earlier allow man-in-the-middle attackers to execute arbitrary code by spoofing the update server and uploading an executable.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| malwarebytes | malwarebytes_anti-exploit | <= 1.04.1.1012 | — |
| malwarebytes | malwarebytes_anti-malware | <= 2.02 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect spoofed update responses by monitoring for HTTP responses to requests destined for data-cdn.mbamupdates.com that serve Content-Type: application/x-msdos-program or application/octet-stream — indicative of a malicious executable being delivered in place of a legitimate update. ↗
- →Alert on MBAM/MBAE update traffic (User-Agent containing 'base:<version>') being served over plain HTTP (port 80) rather than HTTPS, which is a prerequisite for this MITM attack. ↗
- →Flag DNS resolutions or HTTP connections to data-cdn.mbamupdates.com resolving to unexpected/non-Malwarebytes IP addresses, as the attack requires spoofing this update server. ↗
- ·The Metasploit module explicitly disables SSL/TLS options, confirming the vulnerable update channel operates over plain HTTP only — detection should focus on unencrypted port 80 traffic to the update domain. ↗
- ·The exploit module notes that MBAM versions at or below 2.0.2.1012 and MBAE versions at or below 1.03.1.1220 are vulnerable; versions beyond these thresholds are reported as not vulnerable by the module itself. ↗
- ·The URIPATH is hardcoded to '/' and cannot be changed by the attacker using this module, meaning the malicious update server responds on the root URI path. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Code Execution (Metasploit)
exploitdb·2014-12-16
CVE-2014-4936 Malwarebytes Anti-Malware < 2.0.3 / Anti-Exploit < 1.03.1.1220 - Update Code Execution (Metasploit)
Malwarebytes Anti-Malware 'Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution',
'Description' => %q{
This module exploits a vulnerability in the update functionality of
Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes
Anti-Exploit consumer 1.03.1.1220.
Due to the lack of proper update package validation, a man-in-the-middle
(MITM) attacker could execute arbitrary code by spoofing the update server
data-cdn.mbamupdates.com and uploading an executable. This module has
been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Yonathan Klijnsma', # Vulnerability discovery and PoC
'Gabor Seljan', # Metasploit module
'todb' # Module refactoring
],
'References' =>
[
[ 'CVE', '2014-4936' ],
[' OSVDB', '11605
Metasploit
Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution
metasploit
Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution
Malwarebytes Anti-Malware and Anti-Exploit Update Remote Code Execution
This module exploits a vulnerability in the update functionality of Malwarebytes Anti-Malware consumer before 2.0.3 and Malwarebytes Anti-Exploit consumer 1.03.1.1220. Due to the lack of proper update package validation, a man-in-the-middle (MITM) attacker could execute arbitrary code by spoofing the update server data-cdn.mbamupdates.com and uploading an executable. This module has been tested successfully with MBAM 2.0.2.1012 and MBAE 1.03.1.1220.
No writeups or analysis indexed.
http://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-andhttp://packetstormsecurity.com/files/130244/Malwarebytes-Anti-Malware-Anti-Exploit-Update-Remote-Code-Execution.htmlhttp://blog.0x3a.com/post/104954032239/cve-2014-4936-malwarebytes-anti-malware-andhttp://packetstormsecurity.com/files/130244/Malwarebytes-Anti-Malware-Anti-Exploit-Update-Remote-Code-Execution.html
2014-12-16
Published