Jump to content

Minor UAC Elevation vulnerability during installation


Natsumi
 Share

Recommended Posts

Hi all, new here so sorry if it's wrong to post bugs in this section (My bad) :)

 

I noticed that during an installation of MBAM premium trial, the installation process creates a service that will be ran as NT/SYSTEM but doesn't quote it's process path. This is a Unquoted service path vulnerability that can elevate a user with write access to the C:\ drive to NT/SYSTEM. Reference for this vector: https://www.commonexploits.com/unquoted-service-paths/.

I've attached a video of me demonstrating the vulnerability.

To exploit this vulnerability, an attacker would have to:

1. Copy a file (Malware / backdoor shell) to C:\Program.exe

2. Run the MBAM installer

3. The file will be ran with SYSTEM privileges. (Bad) and the installer with fail (Also potentially a DOS vulnerability in MBAM installer that malware can leverage to prevent MBAM from being installed)

How does this work?
Well, Windows services are simply processes executed with SYSTEM privileges but a flaw in how Windows interprets the binpath (process path to execute) in that if the path isn't quoted, Windows will interpret a SPACE to mean the end. For example if c:\program files\mbam.exe is not quoted, Windows will first try to execute "c:\program.exe" since it does not recognise a space.

How can this be fixed?
Simple! You just quote your service path:
string a = @" "c:\program files\mbam.exe" " instead of string a = @" c:\program files\mbam.exe ".

 

Regards,
Natsumi 

Link to post
Share on other sites

For an example I'm just posting a screenshot of a backdoor remote shell using TCP that communicates via NetCat on localhost:

1014111364_2020-08-0315_45_40-WindowMBAM(2).thumb.png.bba1d95784ca690fedc4dfdddd0608cb.png

Context:
1. I added the remote backdoor and copied it to "C:\Program.exe"
2. I ran the MBAM installer
3. Windows mis-interpreted the service location and ran my backdoor (Also deny malwarebytes installation)
4. The backdoor communicated to LOCALHOST and gave me (myself in this case) SYSTEM privs

Link to post
Share on other sites

39 minutes ago, exile360 said:

Greetings,

Thanks for bringing this to our attention.  I will be sure to pass this info on to the Product team.

If there is anything else, please let us know.

Thanks

No problem Exile, happy to help :)

Regards,
Natsumi

Link to post
Share on other sites

19 hours ago, AdvancedSetup said:

Thank you for reporting this information. We have logged this an issue to resolve in a future build.

 

Sorry for reviving the thread just checked and it seems that this issue also affects the installer of your MBAM VPN, just thought I'd mention it in-case your product team only review the main AV installer :) At-least this vulnerability only affects the installer and not your installed product service unlike some of your VPN competitors ;) 

2020-08-04 21_05_52-MBAM.png

Link to post
Share on other sites

  • Staff

Thank you again for the report. As noted above, we are working on a fix and intend to release an updated installer version for both the Malwarebytes and Malwarebytes Privacy products.

Also note for an existing installation of Malwarebytes, C:\Program.exe is detected if a scan is run or upon execution if Malware Protection is enabled. This of course doesn't solve the issue but does mitigate it in some manner in the event the installer is run on a machine already running Malwarebytes.

Edited by LiquidTension
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • Recently Browsing   0 members

    No registered users viewing this page.

Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.