Researchers have once again managed to bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), this time by leveraging the Windows subsystem WoW64.
WoW64 (Windows 32-bit on Windows 64-bit) is a compatibility layer in Windows designed to allow unmodified 32-bit applications to run on 64-bit systems. While it’s very useful, researchers demonstrated in the past that WoW creates an attack surface that can be used by malicious actors to bypass antivirus software and exploit mitigations.
Researchers at two-factor authentication (2FA) solutions provider Duo Security have found a way to use WoW64 to bypass Microsoft EMET, a tool designed to make it more difficult and more expensive for attackers to exploit a system.
While EMET bypass methods have been presented several times in the past, Duo Security says its method can be used to bypass all payload execution and return-oriented programming (ROP) mitigations in one shot, in a generic, app-independent way.
According to Duo Security, 80 percent of browsers are 32-bit processes running under WoW64 on a 64-bit system. This is relevant in this case as web browser exploitation is one of the most common vectors used by malicious actors to breach systems.
In order to demonstrate their findings, researchers modified an existing exploit for a use-after-free vulnerability in Adobe Flash Player (CVE-2015-0311). They successfully reproduced the bypass on a 64-bit version of Windows 7 running Internet Explorer 10 and the latest versions of EMET, 5.2 and 5.5 beta.
“While EMET provides support for both 32 and 64-bit processes, as a limitation of its design, it does not explicitly handle the special case of WoW64 processes. This makes using a 64-bit ROP chain and secondary stage a relatively straightforward method for bypassing a significant number of EMET’s mitigations,” Duo Security explained in its research paper. “Furthermore, 64-bit editions of EMET do not support any of the ROP-related mitigations, further limiting EMET’s effectiveness on 64-bit processes. It appears that due to these limitations, enhancing EMET to overcome them is likely a non-trivial effort.”
Darren Kemp, researcher at Duo Security, has pointed out that the paper’s goal is not to undermine the importance of EMET’s role in defending organizations against cyberattacks, but to highlight shortcomings in the current version.
“EMET is largely effective at complicating a variety of exploitation techniques in true 32- and 64-bit applications, often requiring attackers to find a solution to each mitigation on a case- by-case basis. Most off-the-shelf exploits will fail in the face of EMET mitigations,” Duo Security said. “But due to the architectural quirks of the WoW64 subsystem, mitigations provided by EMET are significantly less effective due to the way they are inserted into the process. Fixing this issue requires significant modifications to how EMET works.”
Microsoft has provided the following statement: We continue to research new mitigations to integrate into the Enhanced Mitigation Experience Toolkit (EMET). Deploying EMET helps make it more difficult for attackers to exploit a system, which moves the balance of power in the customer’s favor.
*Updated with statement from Microsoft