Security researchers at Bromium have poked holes in the armor of Microsoft’s Enhanced Mitigation Experience Toolkit.
In a new whitepaper, the firm lays out how to bypass the toolkit’s memory protections. In particular, it includes protections (for 32bit processes only) against return-oriented programming.
“ROP based exploitation has been rampant in malware to bypass the ALSR+DEP [address layout space randomization and data execution prevention] protections,” blogged Jared DeMott, a researcher with Bromium and the author of the whitepaper. “Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques. EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1. And thus, EMET particularly excels for older platforms like Windows XP.”
“We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit),” he continued. “But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET.”
The study focuses on EMET 4.0 and 4.1. The exploit described in the paper bypasses all 12 EMET protections, with particular attention being paid to the stack pivot protection. That was avoided it by using a pop-copy to the stack, a second pivot to the stack to execute critical ROP code and a final “jump back to an EMET friendly payload,” DeMott explained in the paper.
Other key defenses defeated by the exploit include export address filtering (EAF), which was disabled by clearing the debug registers. The final checks were bypassed by calling an unprotected version of VirtualProtect 20.
“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection,” DeMott blogged. “This is true of EMET and other similar userland protections. That’s because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there’s no “higher” ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use.”
This is not the first time EMET has been in the sights of researchers. Aaron Portnoy, co-founder of Exodus Intelligence, gave a presentation at SummerCon in 2013 that detailed EMET bypasses as well. In addition, this year’s upcoming Pwn2Own contest at CanSecWest is slated to include a $150,000 prize for any researcher that can exploit Internet Explorer 11, Windows 8.1 and EMET.
Rahul Kashyap, chief security architect and head of security research at Bromium, said Microsoft is slated to have a fix for the situation uncovered by the firm in EMET’s next release.
“Just like any other tool that relies on heuristics or known exploitation mechanisms, EMET is also vulnerable to such attacks,” he said. “[EMET] is definitely a layer of protection, but it’s important to know the limitations of each layer as we architect it and that was the goal of this research.”