Malwarebytes AntiVirus 2.2.0 - Denial of Service (PoC)

EDB-ID:

38858

CVE:



Platform:

Windows

Published:

2015-12-03

#####################################################################################

Application:   Malwarebytes Antivirus
Platforms:   Windows
Versions:   2.2.0.
CVE:   No CVE have been assigned
Author:   Francis Provencher of COSIG
Twitter:   @COSIG_
#####################################################################################

1) Introduction
2) Report Timeline
3) Technical details
4) POC

#####################################################################################

===============
1) Introduction
===============

Malwarebytes Anti-Malware (MBAM) is an application for computers running under the Microsoft Windows and Apple OS Xoperating system that finds and removes malware.[3] Made by Malwarebytes Corporation, it was first released in January 2008. It is available in a free version, which scans for and removes malware when started manually, and a paid version, which additionally provides scheduled scans, real-time protection and a flash memory scanner.

(http://www.oracle.com/us/technologies/embedded/025613.htm)

#####################################################################################

============================
2) Report Timeline
============================

2015-11-28: Francis Provencher of COSIG found the issue;
2015-11-30: Francis Provencher of COSIG report vulnerability to Malwarebytes;
2015-12-02: Malwarebytes release a patch for this issue;

#####################################################################################

============================
3) Technical details
============================

When a malformed executable with an invalid integer (-1) in the “SizeOfRawData” in UPX section is parsed by Malwarebytes, a memory corruption occured. Successful exploitation of the vulnerabilities may allow execution of arbitrary code.

#####################################################################################

===========

4) POC
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38858.exe