Bypass Possible for EMET Shield

Tuesday, February 25, 2014 @ 05:02 PM gHale


It is possible for attackers to bypass Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), which protects non-kernel Microsoft applications and third-party software, researchers said.

“EMET adds special protections (for 32bit processes only) against a relatively new hacker technique known as ROP (return oriented programming),” security firm Bromium Labs’ Jared DeMott said in a blog.

RELATED STORIES
Fix It Issued for IE Zero Day
Error Reports could lead to Attacks
Pulling RSA Keys by Listening
Air Gaps Not Even Secure

“ROP based exploitation has been rampant in malware to bypass the ALSR+DEP protections. Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques. EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1. And thus, EMET particularly excels for older platforms like Windows XP.”

Like any other software, EMET has its limitations, and researchers wanted to see whether it is capable of deflecting customized attacks.

Bromium researchers, who worked with Microsoft on this research, have created attack code exploiting an old (and patched) use-after-free Internet Explorer bug (CVE-2012-4969) to bypass all of 12 EMET’s protections.

There is a public Metasploit exploit module for this bug, but ended up blocked by EMET. The researchers based theirs on a more sophisticated one created by Peter Vreugdenhil of Exodus Intelligence (and initially blocked by the security software).

“We were curious to see if the exploit could be enhanced to bypass EMET 4.1,” the researchers said. “Primarily of interest, we wanted to see if we could develop a generic EMET bypass technique for the stack pivot check, because this protection has not been publically bypassed to our knowledge.” It is now as they were able to get in.

Click here to download a white paper on Bromium’s research.



Leave a Reply

You must be logged in to post a comment.