Онлайн Радио 24 Miss Marple Inventory Agent
How to uninstall Miss Marple Inventory Agent from your PC
This web page contains thorough information on how to uninstall Miss Marple Inventory Agent for Windows. It was developed for Windows by amando software GmbH . More information on amando software GmbH can be seen here. More details about the program Miss Marple Inventory Agent can be seen at http://www.amandosoftware.com. The program is frequently installed in the C:\Program Files (x86)\amando\Miss Marple Inventory Agent directory. Take into account that this location can vary depending on the user’s choice. MsiExec.exe /X is the full command line if you want to uninstall Miss Marple Inventory Agent. HideWin.exe is the Miss Marple Inventory Agent’s main executable file and it takes approximately 36.00 KB (36864 bytes) on disk.
Miss Marple Inventory Agent is composed of the following executables which take 169.83 KB ( 173904 bytes) on disk:
- MMIA.exe (23.50 KB)
- HideWin.exe (36.00 KB)
- MMLKHI.exe (110.33 KB)
The current page applies to Miss Marple Inventory Agent version 1.1 only. You can find here a few links to other Miss Marple Inventory Agent releases:
A way to delete Miss Marple Inventory Agent from your PC with Advanced Uninstaller PRO
Miss Marple Inventory Agent is a program released by amando software GmbH. Sometimes, computer users try to uninstall this application. Sometimes this can be easier said than done because deleting this by hand takes some advanced knowledge related to Windows internal functioning. One of the best QUICK action to uninstall Miss Marple Inventory Agent is to use Advanced Uninstaller PRO. Here are some detailed instructions about how to do this:
1. If you don’t have Advanced Uninstaller PRO on your Windows system, add it. This is a good step because Advanced Uninstaller PRO is a very efficient uninstaller and general utility to take care of your Windows system.
- go to Download Link
- download the setup by clicking on the green DOWNLOAD NOW button
- install Advanced Uninstaller PRO
3. Press the General Tools category
4. Activate the Uninstall Programs tool
5. All the programs installed on the computer will be made available to you
6. Scroll the list of programs until you locate Miss Marple Inventory Agent or simply activate the Search feature and type in “Miss Marple Inventory Agent”. If it is installed on your PC the Miss Marple Inventory Agent program will be found very quickly. After you click Miss Marple Inventory Agent in the list of programs, the following information regarding the program is made available to you:
- Safety rating (in the left lower corner). The star rating explains the opinion other people have regarding Miss Marple Inventory Agent, from “Highly recommended” to “Very dangerous”.
- Reviews by other people – Press the Read reviews button.
- Technical information regarding the application you are about to remove, by clicking on the Properties button.
- The web site of the application is: http://www.amandosoftware.com
- The uninstall string is: MsiExec.exe /X
7. Click the Uninstall button. A confirmation window will come up. accept the removal by pressing the Uninstall button. Advanced Uninstaller PRO will automatically remove Miss Marple Inventory Agent.
8. After uninstalling Miss Marple Inventory Agent, Advanced Uninstaller PRO will offer to run a cleanup. Press Next to start the cleanup. All the items of Miss Marple Inventory Agent that have been left behind will be found and you will be able to delete them. By uninstalling Miss Marple Inventory Agent using Advanced Uninstaller PRO, you are assured that no registry entries, files or directories are left behind on your computer.
Your computer will remain clean, speedy and able to serve you properly.
Multiple Critical Vulnerabilities In Miss Marple Enterprise Edition
Using the hardcoded AES key/iv, an attacker can decrypt the password for a remote server and execute code remotely on this server. The attacker can then deploy malicious updates via this server to all Miss Marple Agents.
Vendor Description
“As a global IT company with thirty years of experience, COMPAREX is one of the world’s leading IT service providers and no. 1 software license management company in the EMEA markets. COMPAREX develops innovative services that support management and leverage software products, leading to an overall improvement of workforce productivity. COMPAREX serves corporate customers spanning from small businesses to large international corporations as well as the public institutions supporting every customer during their digital journey towards productivity optimization. The portfolio has a solid foundation in license management, software procurement and cloud services. Substantial professional and managed services complete the portfolio to support customers with services tailored to their business demands.”
Business Recommendation
The vendor provides a patch and users of this product are urged to immediately upgrade to the latest version available.
Vulnerability Overview/ Description
Miss Marple is an inventory software that consists of a client and a server part. The client (agent) is gathering system information and uploads the results to a remote server in an encrypted ZIP file.
1) Hardcoded AES key (CVE-2018-19233)
A username and an encrypted password were identified in the Miss Marple Inventory Agent configuration file. By decompiling the binary, the encryption method was identified as AES-256 with a hardcoded key and initialization vector. The credentials are used to deploy the inventory files to a remote server.
2) Uploading arbitrary files
There are two ways an attacker can upload arbitrary files to the server.
2.1) Patching the application binary to bypass the ZIP file extension check
Using this method, it is possible to upload any file to the server, even if the credentials are unknown to the attacker! This works because every file in a specific directory gets uploaded, as long as the file has the correct file extension. This can be bypassed because the file extension is only checked on the client side and not on the server side. Patching the binary is done by replacing the extension string with the file extension of the attackers file eg. “.aspx” in the MMIA.exe binary itself.
2.2) Using cURL to upload arbitrary files
If the credentials are known to the attacker, it is possible to use tools like cURL to upload arbitrary files to the remote server.
Both ways can be used by an attacker to upload a web-shell to the server and execute arbitrary commands.
3) Missing update validation (CVE-2018-19234)
Besides the Miss Marple Inventory Agent, an Miss Marple Updater Service is running on all clients. This service checks for new versions on the same server. If the files are uploaded to the right directory on the server, the updater will download and execute them with the highest privileges (NT Authority\SYSTEM) without validating the binaries.
This can also be used for escalating privileges on the client. By uploading a web-shell using the methods described in vulnerability 2, an attacker gets sufficient write permissions to access the update directory and to place malicious files on the server. This will execute arbitrary code on all clients using Miss Marple.
Proof Of Concept
1) Hardcoded AES key (CVE-2018-19233)
No proof of concept will be provided.
2) Uploading arbitrary files
2.1) No proof of concept will be provided. E.g. the Unicode string for “.zip” just has to be replaced with the file extension for the uploaded web-shell.
2.2) Using cURL to upload arbitrary files It is possible to upload arbitrary files using cURL and the credentials obtained in 1).
3) Missing update validation (CVE-2018-19234)
No proof of concept will be provided.
Vulnerable / Tested Versions
The following versions have been tested and found to be vulnerable:
- Miss Marple Inventory Agent / Miss Marple Updater Service 1.13.
Vendor Contact Timeline
| 2018-06-13: | Contacting vendor through [email protected]. |
| 2018-07-04: | Meeting with the vendor. Reviewed planned fixes. |
| 2018-07-10: | Meeting with the vendor. Release of fix dated to 2018-09-30. |
| 2018-09-16: | Meeting with the vendor. Reviewed implemented fixes. |
| 2018-10-11: | Meeting with the vendor. Scheduled the roll-out for the fixed version. |
| 2018-10-22: | Vendor releases patched version. |
| 2018-11-16: | Public release of security advisory. |
Solution
According to the vendor, all the identified issues have been fixed in version 2.0.
Please update to the latest version immediately.
Workaround
Advisory URL
EOF Marius Schwarz / @2018
Contact
Interested to work with the experts of SEC Consult? Send us your application.
Want to improve your own cyber security with the experts of SEC Consult? Contact our local offices.
SEC Consult is one of the leading consultancies in the field of cyber and application security. The company specializes in information security management, NIS security audits, penetration testing, ISO 27001 certification support, Cyber Defence and secure software certification. SEC Consult is part of Eviden, an Atos business.
We use Cookies
We use cookies to offer you a perfect visit experience. These include cookies that are necessary for the operation of the site and for the control of our commercial corporate goals, as well as those that are only used for anonymous statistical purposes, for convenience settings or to display personalized content. Decide for yourself which categories you want to allow. Please note that based on your settings, not all functions of the site may be available.
Process Detail
MMIA.exe is known as Miss Marple Inventory Agent and it is developed by amando , it is also developed by COMPAREX AG. We have seen about 6 different instances of MMIA.exe in different location. So far we haven’t seen any alert about this product. If you think there is a virus or malware with this product, please submit your feedback at the bottom.
Something wrong with MMIA.exe ?
Is MMIA.exe using too much CPU or memory ? It’s probably your file has been infected with a virus. Let try the program named DriverIdentifier to see if it helps.
How to remove MMIA.exe
If you encounter difficulties with MMIA.exe , you can uninstall the associated program (Start > Control Panel > Add/Remove programs
What can you do to fix MMIA.exe ?
Let try to run a system scan with Speed Up My PC to see any error, then you can do some other troubleshooting steps.
If you think this is a driver issue, please try DriverDouble.com
Where do we see MMIA.exe ?
Here is the list of instances that we see for the process: MMIA.exe
| Path | Product Name | Vendor | Version | Size | MD5 | |
| 1 | C:\Program Files\amando\Miss Marple Agent\Inventory Agent\MMIA.exe | Miss Marple Inventory Agent | amando | 1.11.2029.2 | 3072 | 9F81DDE9DC2A5DE459AE451314CD341A |
| 2 | C:\Program Files\COMPAREX\Miss Marple Agent\Inventory Agent\MMIA.exe | Miss Marple Inventory Agent | COMPAREX AG | 1.15.2631.1 | 3788 | 7282D498C2C148407CCB797E73448A36 |
| 3 | C:\Program Files (x86)\COMPAREX\Miss Marple Agent\Inventory Agent\MMIA.exe | Miss Marple Inventory Agent | COMPAREX AG | 1.15.2631.1 | 37888 | 7282D498C2C148407CCB797E73448A36 |
| 4 | C:\Program Files (x86)\COMPAREX\Miss Marple Agent\Inventory Agent\MMIA.exe | Miss Marple Inventory Agent | COMPAREX AG | 2.0.3077.2 | 50176 | DCDFD2BF04B31A0B0FE1C7077735C3AF |
| 5 | C:\Program Files (x86)\amando\Miss Marple Agent\Inventory Agent\MMIA.exe | Miss Marple Inventory Agent | amando | 1.14.2329.1 | 30720 | 8817F6788167B30524EE6EF5CCCBA379 |
| 6 | C:\Program Files (x86)\amando\Miss Marple Agent\Inventory Agent\MMIA.exe | Miss Marple Inventory Agent | amando | 1.3.1672.6 | 31744 | E4AB922724B715F74982ABDDB88645DF |
Comments about this process:
При подготовке материала использовались источники:
https://www.advanceduninstaller.com/Miss-Marple-Inventory-Agent-beae48bc39bddc12eaaffe8d8bf76d78-application.htm
https://sec-consult.com/vulnerability-lab/advisory/multiple-critical-vulnerabilities-in-miss-marple-enterprise-edition/
https://www.processchecker.com/file/MMIA.exe.html