Jump to content

Malwarebytes Premium Security AV Bypass


Go to solution Solved by David H. Lipman,

Recommended Posts

https://medium.com/@danielshaulov01/malwarebytes-premium-security-av-bypass-cve-2024-44744-97bb6192ed4a

A vulnerability has just been discovered in Malwarebytes that allows bypassing.

 

An issue in Malwarebytes Premium Security v5.0.0.883 allows attackers to execute arbitrary code via placing crafted binaries into unspecified directories.

 

A vulnerability exists due to the differences in how Win32 and NT handle file paths, permitting attackers to execute malware exclusively from certain locations. This flaw enables attackers to run malicious code by leveraging path conversion inconsistencies, targeting specific directories that evade typical security checks.

 

An attacker can exploit this vulnerability to place malware in folders with a specific name pattern, allowing it to evade detection.

 

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-44744

 

[Steps To Reproduce:

 

Create a folder named “undetected.” (Note: Ensure there is a dot at the end of the name.)

Place the malware inside this folder.

Execute the malware using the NtCreateUserProcess WinAPI function. (Note: Running the malware via Explorer or Command Prompt will not work.)]

 

This is so bad but you know what's even worse? This has happened before. There was another whitelisting vulnerability where Malwarebytes allowed any file with a specific name and it was found by someone decompiling their drivers.

 

Lowkey it was kinda covered up. It was a really embarrassing vulnerability/bypass. You can't find this previous vulnerablility on Google easily. It's also not in any security advisories for some reason. I know it existed though because there used to be a writeup on it from the person who found it and a PoC from them on GitHub.

 

https://github.com/advisories?page=1&query=malwarebytes

 

The old vuln isn't in GitHub's security advisories database. I think I found it.

https://web.archive.org/web/20240110045921/https://0x00sec.org/t/a-curious-case-of-malwarebytes/13746

https://github.com/NtRaiseHardError/Antimalware-Research/tree/master/Malwarebytes/v3.7.1.2839

 

Looking back at the flow chart, RtlCompareUnicodeString is defined to return zero if the two provided strings are the same. We can follow the green branches that satisfy this return value and see that execution flows all the way to the end of the function. The red box on the right contains the function that scans the file. If we wanted to bypass the file scanning function, all we need to do is to rename the file extension to Manifest, Config, or etl (case-insensitive)!

 

This journey started out quite strange and became even stranger. I have no idea why the implementation is missing some file system operation callbacks. It may explain why Malwarebytes is not scanning files when they are written to disk. I have even less of an idea as to why it was decided that these file extensions were whitelisted from scanning. Perhaps it was an optimisation of some sort? Maybe it was assumed that they weren’t executable? Let me know what you think.

 

[Issues:

Does not proactively scan files dropped to disk,

Executables with etl, Config, and Manifest file extensions ran using CreateProcess do not get scanned.

 

Recommended Fix(?)

Include IRP_MJ_CLEANUP (and optionally IRP_MJ_WRITE) minifilter callback operations,

Do not whitelist etl, Config, and Manifest file extensions from scanning.]

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.