The upgrade mechanism in older versions of Malwarebytes Anti-Malware and Malwarebytes Anti-Exploit suffers from a man-in-the-middle vulnerability.
Yonathan Klijnsma, a researcher with Netherlands-based security firm Fox-IT, discovered the bug (CVE-2014-4936). The vulnerability affects the consumer versions of Malwarebytes Anti-Malware 2.0.2 and earlier, and Malwarebytes Anti-Exploit 1.03 and earlier. Business versions do not suffer from the issue.
Affected versions of Malwarebytes Anti-Exploit and Malwarebytes Anti-Malware upgrade over a HTTP connection and they don’t use a proper package validation system to ensure updates are legitimate. Because the application doesn’t verify the installer, an attacker can serve any Windows PE file and it will end up executed with full administrative privileges on the victim’s system.
Both solutions suffer from the flaw because they rely on the same process. The only difference is in the requests for checking the version and getting the update.
The security software gets updates from the Malwarebytes CDN (data-cdn.mbamupdates.com). In order to inject his payload, the attacker needs to intercept the DNS requests for the CDN. This can happen by using various methods, including changing DNS adapter settings, changing the Windows host file to override DNS, and by performing a DHCP spoofing attack.
In his experiments, in which the attacker’s machine was running Kali Linux and the victim’s machine was running Windows XP, Klijnsma used a DHCP spoofing attack to reroute requests from the Malwarebytes product to the “malicious” server.
By launching a man-in-the-middle (MitM) attack, the expert was able to get the security software to download and execute an arbitrary file, and take over the targeted device.
Klijnsma reported the Malwarebytes Anti-Malware vulnerability in mid-July and the firm addressed it on October 3 with the release of version 2.0.3. In the case of Malwarebytes Anti-Exploit, the flaw ended up reported on August 21, and patched in early September with the release of version 1.04.1.1012.
Malwarebytes officials said the company hasn’t seen any evidence the vulnerability was suffering from attacks.