Malwarebytes Anti-Exploit

Discussion in 'other anti-malware software' started by ZeroVulnLabs, Oct 15, 2013.

  1. guest

    guest Guest

    It looks like those are just memory corruption vulnerabilities.

    Part 1 of @ZeroVulnLabs answer was with regard to logic flaws in Firefox.
    Logic flaws in Firefox are rare and the vast majority of them were found by one researcher (Mariusz Mlynski)
     
  2. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Hard to tell, I couldn't find any details other than "unknown vulnerabilities" and "unspecified vectors" in the CVE description.

    It does say it's a memory corruption vuln so likely MBAE will detect and stop it. But we'll have to wait for a Metasploit module or leaked exploit poc to know for sure.
     
  3. vojta

    vojta Registered Member

    Joined:
    Feb 26, 2010
    Posts:
    830
    More reasons to use proactive anti-exploit measures instead of signature based blocking:
    http://threatpost.com/domain-shadowing-latest-angler-exploit-kit-evasion-technique/111396

     
  4. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    MBAE 1.05.1.1016 (Premium)
    SBIE 4.16
    OS Windows XP Home SP3.

    I inserted the template recommended on SBIE 4.16.
    Not work.
     
  5. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    AFAIK that template workaround only works on 64bit Operating Systems to protect 32bit processes.
     
  6. Sampei Nihira

    Sampei Nihira Registered Member

    Joined:
    Apr 7, 2013
    Posts:
    3,343
    Location:
    Italy
    I read this:

    https://forums.malwarebytes.org/ind...choosing-between-sandboxie-and-mbae/?p=914785

    Post 34
     
  7. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  8. mantra

    mantra Registered Member

    Joined:
    Jan 25, 2005
    Posts:
    6,167
    Last edited: Mar 6, 2015
  9. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
  10. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    So is the only obstacle with this right now that you have to manually enter that string into SBIE's configuration to get it to be compatable with it?

    Oh yeah... last I heard it didn't play well with the HIPS in Comodo 5.10 as well. Namely the shellcode injection protection. I'm willing to enter that code to force compatibility with SBIE, but if it doesn't play well with Comodo 5.10's HIPS that's a deal breaker to me. And that'd be a shame because I really want to use this.
     
  11. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Shellcode is one of the main vectors used by exploits so if MBAE cannot inject into it then it probably can't offer protection for many exploits. I'm interested in hearing what pbust thinks about this. How long has Comodo been offering shellcode injection protection?
     
  12. guest

    guest Guest

    You're wrong.

    1. You can't just run shellcode from the stack or heap. (Have you ever heard of DEP and ASLR?)
    2. Critical functions (VirtualProtect, WinExec, etc) cannot be called from heap memory when ESP is not an address within the stack boundaries defined in the TEB. (a/k/a stack pivot detection)
    3. Critical functions that are called require a return address that is not located on the stack or heap. ( Bye bye exploitation attempt using 'traditional' shellcode )

    At least, this is what I have experienced using blackbox testing
    Besides that, you also have to deal with Application Lockdown.
     
  13. Cutting_Edgetech

    Cutting_Edgetech Registered Member

    Joined:
    Mar 30, 2006
    Posts:
    5,694
    Location:
    USA
    Yes, I know what DEP, and ASLR. I will look more into what you are saying.

    Edited: Are you basically saying the shell code runs later in the chain of executions if the exploit is successful so the shell code is not what is being exploited? That will give me a starting point to read more into this.
     
  14. guest

    guest Guest

    The following steps are generally taken while exploiting Internet Explorer/Flash Player/etc.

    1. Spray the heap
    2. Overwrite some value on the heap using a vulnerability to gain RCE
    3. Perform a stack pivot
    4. Call VirtualProtect/VirtualAlloc to allocate executable memory on the heap in which the shellcode is located
    5. Call shellcode
    6. game over
     
  15. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    For a long time. They use to offer it by way of a stand alone program they called the Comodo Memory Firewall, back before they even made a HIPS and their FW was much more basic and rough around the edges. Then when they created a FW/HIPS combo, before they even had an AV, they integrated the feature into it by way of a simple check box: "Detect shellcode injections" in the D+ settings. So they've been at it for a long time.

    Not only that but I wouldn't sacrifice it to use MBAE because I feel that doing so could weaken the entire product as a whole. One of those "more than the sum of it's parts" type deals if it isn't there anymore.

    I didn't quite follow the exchange the two of you were having. To simplify... is it alright for me to use MBAE and keep that feature enabled in Comodo D+ too without creating problems? If so I'll buy the thing. If not, it's just not an option for me. So far people seem to be evasive when it comes to addressing this issue.
     
  16. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    As far as we know there's no issue with Comodo D+. I've been in touch with them a few times over the last years to fix some of the earlier conflicts during the MBAE betas, but that was a long time ago. If you're running the latest versions of both products there's no conflicts.
     
  17. luciddream

    luciddream Registered Member

    Joined:
    Mar 22, 2007
    Posts:
    2,545
    That's the thing though... I'm not running the latest version of Comodo, and have mentioned that several times in here. I use v5.10, as do many. It's considered by many to be the best version they've ever made and has become a legacy version. So am I SOL then if I keep using that version? I certainly won't change it.
     
  18. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    I didn't keep track of which was the version with problems, but it is also possible that the fix was pushed down as an update to Comodo users.

    Give it a try with the MBAE trial version. If it doesn't work the uninstall is just 2 clicks away. Even if you decide to purchase MBAE Premium and you run into problems later on, just send me a PM or post here and I'll instruct an immediate refund.
     
  19. TomAZ

    TomAZ Registered Member

    Joined:
    Feb 27, 2010
    Posts:
    1,131
    Location:
    USA
    Actually, it works for me on my 32-bit system, but I had to downgrade to SBIE 3.76 to make it happen.
     
  20. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590

    Then you really didn't make it happen. Downgrading to 3.76 is a mistake as your are giving up all the improvements in SBIE's protection
     
  21. Pete,

    That is not entirely true. SBIE V4 is better for 64 bits systems. True, with V4 the user also benefits from the low rights sandbox (when your OS-facilitates that). On the other hand V3 is well matured for 32 bits systems. As an example 3.76 was not vulnarable to the hardlink sandbox escape which 4.14 and older were vulnarable to.

    For 32 bits system owners (partically on XP), there is nothing wrong with using the 3.76 version, But let's take that discussion to SBIE and keep this a MBAE thread.

    Regards Kees
     
    Last edited by a moderator: Mar 9, 2015
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I stand corrected

    THanks Kees
     
  23. Rasheed187

    Rasheed187 Registered Member

    Joined:
    Jul 10, 2004
    Posts:
    17,546
    Location:
    The Netherlands
    @ ZeroVulnLabs

    I forgot to report that MBAE terminates MS PowerPoint 2013, and gives an "exploit detected" alert, I'm using Win 8.1 64 bit. I'm now on the Free version, but perhaps you can take a look at it.
     
  24. boredog

    boredog Registered Member

    Joined:
    Feb 1, 2015
    Posts:
    2,499
    Does antiexploit work with Quitezones TOR browser? Or do I have to add it to the shields somehow?
     
  25. ZeroVulnLabs

    ZeroVulnLabs Developer (aka "pbust")

    Joined:
    Mar 5, 2012
    Posts:
    1,189
    Location:
    USA
    Would need MBAE and FRST logs --> https://forums.malwarebytes.org/ind...-how-to-posts-here-need-to-include-mbae-logs/

    If it doesn't show up as protected in the LOGS tab of MBAE, then you need to add a custom shield for it.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.