MBAE doesn't block exploits based on Java add-on

[ideriev]

I used Metasploit to test MBAE Free and got mixed results:

- CVE-2014-0515 (Windows 7 SP1, IE 11, Flash Player 12) was successfully blocked

- but CVE-2013-2465 (Windows 7 SP1, IE 11, JRE 1.7u5) wasn't. And the same with some other similar Java-exploits.

What is the reason? Would support team like to comment?

 

mbae-logs.zip

[pbust]

Welcome to the forum and thanks for posting.

What msf payloads are you using?

[pbust]

CVE-2013-2465 blocked here under similar circumstances (Win7, IE, JRE 1.7u4). Can you please share some details on your test setup?

 

 

 

[pbust]

Tried other payloads (down_exec and meterpreter) with same results.

 

 

 

[ideriev]

Hi pbust.

Thanks for you answer and sorry for my delay.

I also have tried (through web interface Metasploit) 4 different combination of Target setting (Generic-Java payload/Windows Universal) and Payload type (Meterpreter/Command Shell). Actually MBAE didn't block only one of them - Generic+Meterpreter and was successful in three others.

[pbust]

Thanks for the info, we'll investigate further and get back to you.

 

Thanks again for testing!

[Francois_Blais]

Any news on this issue?

[pbust]

We're closing 1.04 and looking into this in parallel. As soon as we have an update I'll post here.

[ideriev]

How is it possible that after our investigation MBAE 1.04 passed CVE-2013-2465 with all payloads in August test from www.pitci.net?

[pbust]

The problem is not with the CVE but with the payload used. In fact they used the same payload configuration as you in the 4 fails that are shown for MBAE. So basically they found the same bypass as you but applied it to a different CVE.

[pbust]

Can you please try MBAE 1.05?

https://forums.malwarebytes.org/index.php?/topic/160317-mbae-experimental-10531010/

 

When you try this again please make sure that the Metasploit machine is physically different than the attacked machine. It is a known issue that when the payload is delivered from the same machine it does not behave the same way as if it is remote.

[ideriev]

MBAE 1.05 still does not detect combination of Generic settings and Meterpreter payload.

(Metasploit server and exploitable machine were different VMs)

[pbust]

Yes it seems that some scenarios cause the bypass. We're reviewing the findings.

 

Thanks for testing this again!