Malwarebytes 4.5 Unquoted Service Path Privilege Escalation

A local attacker with write access to a directory earlier in the unquoted path (e.g., `C:\Program.exe` or `C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe`) can place a malicious executable there. When the MBAMService starts (either at boot or manually), Windows' CreateProcess resolves the unquoted path and runs the attacker's payload instead of the legitimate binary. Because the service runs as LocalSystem, the injected code inherits those elevated privileges, resulting in local privilege escalation.

The MBAMService executable is configured with an unquoted service binary path `C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe`. Because the path contains spaces and is not enclosed in quotes, Windows will attempt to execute `C:\Program.exe`, `C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe`, etc., in order, allowing an attacker to plant a malicious executable at a higher-precedence location.

The advisory does not include a patch diff. To remediate the vulnerability, the vendor must enclose the service binary path in quotes (e.g., `"C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe"`) in the service configuration. Without quotes, Windows' path resolution logic treats each space-separated segment as a potential executable location, enabling the attack described.

1. Run `sc qc MBAMService` to confirm the unquoted binary path `C:\Program Files\Malwarebytes\Anti-Malware\MBAMService.exe`. 2. Place a malicious executable named `Program.exe` in `C:\` (or `Malwarebytes.exe` in `C:\Program Files\`, etc.) so that Windows resolves it before the legitimate binary. 3. Restart the service or reboot the system; the malicious executable runs with LocalSystem privileges.