CVE-2019-6739
published 2019-06-03CVE-2019-6739: This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Malwarebytes Antimalware 3.6.1.2711. User interaction is…
PriorityP261high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EXPLOIT
EPSS
9.90%
95.0th percentile
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Malwarebytes Antimalware 3.6.1.2711. User interaction is required to exploit this vulnerability in that the target must visit a malicious web page. There is an issue with the way the product handles URIs within certain schemes. The product does not warn the user that a dangerous navigation is about to take place. Because special characters in the URI are not sanitized, this could lead to the execution of arbitrary commands. An attacker can leverage this vulnerability to execute code in the context of the current user at medium integrity. Was ZDI-CAN-7162.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| malwarebytes | antimalware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for Origin.exe process spawns that include argument injection patterns such as -platformpluginpath pointing to a UNC/remote share path (\\...), which indicates remote DLL loading via Qt plugin mechanism. ↗
- →Alert on Origin.exe child processes or DLL loads from remote UNC paths (\\server\share\imageformats\*.dll), indicating exploitation of the -platformpluginpath Qt argument for remote plugin loading. ↗
- →Inspect DLLs loaded from the imageformats plugin directory for a valid .qtmetad section combined with msfvenom shellcode, as the exploit uses a backdoored Qt imageformats plugin as the payload delivery mechanism. ↗
- ·The .url file attack vector works on fully updated Windows 10 and bypasses Edge's SmartScreen scan, making it viable even on patched systems when social engineering is used. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv3.08.8HIGHCVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv2.06.8MEDIUMAV:N/AC:M/Au:N/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
2019-06-03
Published