(DA13) (FIC) Airbus - Beating Malwarebytes by reusing its own software component

This presentation aims to demonstrate that it may be necessary to determine a basic architecture of a target product to advance in the vulnerability research process. In fact, sometimes interacting with a component can be more complex than using a simple socket and sending data directly. Much more complex communication channels can be developed with synchronization mechanisms, shared memory and randomly generated resource names. As a result, understanding and implementing such a communication channel costs a lot of time and forces the vulnerability researcher to give up his initial idea. Faced with such a pitfall, we need to let go of our desire to figure it all out or reinvent the wheel. Instead, we need to focus on code reuse from the analysed software to go through this hardship. This requires doing some reverse engineering to identify the right software component and figure out how to reach the interesting proprietary code.As part of the Airbus Cyber Programmes vulnerability researcher team, we have conducted some work on the Malwarebytes Antivirus for Windows. The first thing to do in such an assessment is to establish the attack surface. In our case, it consists of finding ways to interact with a privileged component of the Malwarebytes Antivirus product from a low-privileged application. Once done, we will use these identified entry points to challenge our target by abusing internal functionalities or discovering new vulnerabilities. We will see that the component involved is known as “Malwarebytes Service” (MBAMService.exe) and runs with Authority NT/System rights. This one aims, among other things, to collect possible threats coming from monitored processes and then to perform the most appropriate action according to this information such as killing the infected process.As a result of this assessment, we found 2 vulnerabilities:• An Arbitrary File Deletion with Authority NT/System rights from user standard rights;• A Denial of Service of the MBAM Service (MBAMService.exe) running with Authority NT/System rights;Here is the outline I plan to follow and the approximate time:1. Who am I (1 min);2. Describing the Malwarebytes architecture: Highlighting why it was relevant to reuse the code of Malwarebytes (5 min);3. Figuring out how to build a message according to the Malwarebytes proprietary protocol (5 min);4. Briefly presenting both the Arbitrary File Deletion and the Denial of Service vulnerabilities (4 min);5. Q&A (5 min).