Jump to content

Natsumi

Members
  • Posts

    9
  • Joined

  • Last visited

Reputation

1 Neutral

1 Follower

Profile Information

  • Location
    United Kingdom
  • Interests
    Anti-Malware, C#, Web-Applications, Pentesting

Recent Profile Visitors

305 profile views
  1. Sorry for reviving the thread just checked and it seems that this issue also affects the installer of your MBAM VPN, just thought I'd mention it in-case your product team only review the main AV installer At-least this vulnerability only affects the installer and not your installed product service unlike some of your VPN competitors
  2. For an example I'm just posting a screenshot of a backdoor remote shell using TCP that communicates via NetCat on localhost: Context: 1. I added the remote backdoor and copied it to "C:\Program.exe" 2. I ran the MBAM installer 3. Windows mis-interpreted the service location and ran my backdoor (Also deny malwarebytes installation) 4. The backdoor communicated to LOCALHOST and gave me (myself in this case) SYSTEM privs
  3. Hi all, new here so sorry if it's wrong to post bugs in this section (My bad) :) I noticed that during an installation of MBAM premium trial, the installation process creates a service that will be ran as NT/SYSTEM but doesn't quote it's process path. This is a Unquoted service path vulnerability that can elevate a user with write access to the C:\ drive to NT/SYSTEM. Reference for this vector: https://www.commonexploits.com/unquoted-service-paths/. I've attached a video of me demonstrating the vulnerability. To exploit this vulnerability, an attacker would have to: 1. Copy a file (Malware / backdoor shell) to C:\Program.exe 2. Run the MBAM installer 3. The file will be ran with SYSTEM privileges. (Bad) and the installer with fail (Also potentially a DOS vulnerability in MBAM installer that malware can leverage to prevent MBAM from being installed) How does this work? Well, Windows services are simply processes executed with SYSTEM privileges but a flaw in how Windows interprets the binpath (process path to execute) in that if the path isn't quoted, Windows will interpret a SPACE to mean the end. For example if c:\program files\mbam.exe is not quoted, Windows will first try to execute "c:\program.exe" since it does not recognise a space. How can this be fixed? Simple! You just quote your service path: string a = @" "c:\program files\mbam.exe" " instead of string a = @" c:\program files\mbam.exe ". Regards, Natsumi 2020-08-03 15-03-54 MBAM.mp4
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.