Jump to content

[SOLVED] RET-ROP false positive with browsers

puff_m_d

By puff_m_d
in Anti-Exploit Beta

 Share

Recommended Posts

puff_m_d

puff_m_d

Posted
Posted

Hello,

 

I just updated to Windows 10 Pro 64 bit Version 1511 (OS Build 10586.3) and cannot launch any browser.

When launching Chrome, I get the following message:

post-155575-0-48353400-1447435831_thumb.

When launching Edge, I get the following message:

post-155575-0-19715600-1447435845_thumb.

When launching IE11, I do not get any message from MBAE, but IE11 will not launch.

The only thing that was changed on my system was the OS upgrade. All was working fine with the previous Windows version.

I did try uninstalling MBAE and deleting the program data folder, followed by a reboot and a fresh install of MBAE but the issues remain.

Attached you will find my MBAE logs.

Thanks in advance for your help in investigating these issues...

If you need any other information, please ask and I will supply it.

Malwarebytes Anti-Exploit.7z

Link to post
Share on other sites
shukla44

shukla44

Posted
Posted

Hello,

 

I started using MBAE free version recently. I had no conflicts or errors with it at start, but i found one.

Whenever my firefox is running and i try to stop the MBAE protection, firefox crashes & MBAE gives a exploit blocked notification (see the attached image) even if i was on a blank page. This happens everytime with firefox only. No problems with chrome or IE 11.

 

I tried using MBAE with a fresh Firefox profile, no error or exploit. I can't reset my profile & start from scratch so I uninstalled MBAE free version for now.

 

I have attached the MB logs. See if you can determine what is the exact conflict so i can fix it and use it with my current FF profile. And also, if you guys need any more info or logs, i can provide them.

 

Regards.

post-27946-0-36472100-1447437405_thumb.j

MBAE.rar

Link to post
Share on other sites
puff_m_d

puff_m_d

Posted
  • Author
Posted

Hello Pedro,

 

Thanks for the prompt reply...

 

I will get the FRST logs to you sometime over the weekend (probably by attaching to a PM with reference to this thread). I just finished getting my systems updated to the new Windows 10 build but still have to optimize the systems and create new system image backups before I do anything else. As soon as I finish those tasks, I will get those logs created and sent to you.

Link to post
Share on other sites
puff_m_d

puff_m_d

Posted
  • Author
Posted

Hello Pedro,

 

Update:

The issues I reported persisted for 3 days, however, upon booting my system this morning, all is now working as previously. I can launch all three mentioned browsers successfully without any issues. The only things that have been done on the affected systems was running disk cleanup to remove the ~ 14 GB of files related to installing the 1511 update, doing a defrag, and then making an image (backup) of the new system. The issues have just disappeared and all is once again working well.

 

I have no clue as to what has changed and why the issues no longer exist. I see no reason to create and send you the logs from FRST but if you would still like them even tho the issue is fixed, I can still create and send them. I have updated software and done a few reboots this morning and the issues have not returned, so you may close this thread as solved. Thanks again for your help.

Link to post
Share on other sites
puff_m_d

puff_m_d

Posted
  • Author
Posted

Hello Pedro,

 

There's some FPs we're seeing with the RET-ROP gadget detection techniques. If you run across these problems again, disable these techniques and let me know if the problems continue.

 

The issue appeared out of the blue again today. When it happened, I decided to reboot my system to see if that had any effect. After the reboot, the issue was gone and all was working as it should. I do not know if this helps you but thought I would mention it just in case.

Link to post
Share on other sites
  • Staff
pbust

pbust

Posted
  • Staff
Posted

The issue appeared out of the blue again today. When it happened, I decided to reboot my system to see if that had any effect. After the reboot, the issue was gone and all was working as it should. I do not know if this helps you but thought I would mention it just in case.

 

Did you disable the RET-ROP techniques like I mentioned above?

Link to post
Share on other sites
puff_m_d

puff_m_d

Posted
  • Author
Posted

Hello Pedro,

 

No, I did not. The issue just reappeared after a week of working fine. The reboot fixed the issue for whatever reason without disabling the RET-ROP techniques that you mentioned. Since the Windows 1511 update, I have had this issue twice and both times it seems a reboot fixes it without disabling those techniques.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.