Bread_Overdose Posted yesterday at 03:16 PM ID:1664429 Share Posted yesterday at 03:16 PM https://medium.com/@danielshaulov01/malwarebytes-premium-security-av-bypass-cve-2024-44744-97bb6192ed4a A vulnerability has just been discovered in Malwarebytes that allows bypassing. An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. A vulnerability exists due to the differences in how Win32 and NT handle file paths, permitting attackers to execute malware exclusively from certain locations. This flaw enables attackers to run malicious code by leveraging path conversion inconsistencies, targeting specific directories that evade typical security checks. An attacker can exploit this vulnerability to place malware in folders with a specific name pattern, allowing it to evade detection. https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44744 [Steps To Reproduce: Create a folder named “undetected.” (Note: Ensure there is a dot at the end of the name.) Place the malware inside this folder. Execute the malware using the NtCreateUserProcess WinAPI function. (Note: Running the malware via Explorer or Command Prompt will not work.)] This is so bad but you know what's even worse? This has happened before. There was another whitelisting vulnerability where Malwarebytes allowed any file with a specific name and it was found by someone decompiling their drivers. Lowkey it was kinda covered up. It was a really embarrassing vulnerability/bypass. You can't find this previous vulnerablility on Google easily. It's also not in any security advisories for some reason. I know it existed though because there used to be a writeup on it from the person who found it and a PoC from them on GitHub. https://github.com/advisories?page=1&query=malwarebytes The old vuln isn't in GitHub's security advisories database. I think I found it. https://web.archive.org/web/20240110045921/https://0x00sec.org/t/a-curious-case-of-malwarebytes/13746 https://github.com/NtRaiseHardError/Antimalware-Research/tree/master/Malwarebytes/v3.7.1.2839 Looking back at the flow chart, RtlCompareUnicodeString is defined to return zero if the two provided strings are the same. We can follow the green branches that satisfy this return value and see that execution flows all the way to the end of the function. The red box on the right contains the function that scans the file. If we wanted to bypass the file scanning function, all we need to do is to rename the file extension to Manifest, Config, or etl (case-insensitive)! This journey started out quite strange and became even stranger. I have no idea why the implementation is missing some file system operation callbacks. It may explain why Malwarebytes is not scanning files when they are written to disk. I have even less of an idea as to why it was decided that these file extensions were whitelisted from scanning. Perhaps it was an optimisation of some sort? Maybe it was assumed that they weren’t executable? Let me know what you think. [Issues: Does not proactively scan files dropped to disk, Executables with etl, Config, and Manifest file extensions ran using CreateProcess do not get scanned. Recommended Fix(?) Include IRP_MJ_CLEANUP (and optionally IRP_MJ_WRITE) minifilter callback operations, Do not whitelist etl, Config, and Manifest file extensions from scanning.] Link to post Share on other sites More sharing options...
Solution David H. Lipman Posted 23 hours ago Solution ID:1664451 Share Posted 23 hours ago CVE-2024–44744 Quote Description An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories. 2 Link to post Share on other sites More sharing options...
Recommended Posts