The Enhanced Mitigation Experience Toolkit (EMET) has been designed by Microsoft to prevent security holes from being exploited by cybercriminals. However, a security researcher claims to have found a couple of methods to bypass it.
Shahriyar Jalayeri from Iran has apparently bypassed EMET 3.5 even with the return oriented programming (ROP) mitigation enabled. He has released an exploit for a vulnerability he named CVE-2011-1260.
“EMET’s ROP mitigation works around hooking certain APIs (Like VirtualProtect) with Shim Engine and monitors their initialization. I have used SHARED_USER_DATA which mapped at fixed address ‘0x7FFE0000’ to find KiFastSystemCall address (SystemCallStub at ‘0x7FFE0300’), So I could call any syscall by now!” the researcher wrote on his blog.
“By calling ZwProtectVirtualMemory’s SYSCALL ‘0x0D7’, I made shellcode’s memory address RWX. After this step I could execute any instruction I wanted. But to execute actual shellcode (with hooked APIs like ‘WinExec’) I did patched EMET to be deactivated completely. BOOM!”
Jalayeri believed that this method could be utilized to bypass mitigations in other exploits as well.
The security expert soon realized that the Redmond company was aware of this attack method, a fact confirmed by Microsoft representatives in an email to Softpedia.
“The vulnerability utilized in this demo, CVE-2011-1260, was addressed one year ago by security update MS11-050, and we encourage customers to apply the update to help protect against this issue,” Yunsun Wee, director at Microsoft Trustworthy Computing, said.
After realizing that the bug has been patched, the researcher identified another way to bypass EMET’s ROP mitigations.
“EMET team forget about the KernelBase.dll and left all its functions unprotected. so I used @antic0de‘s method for finding base address of kernelbase.dll at run-time, then I used VirtualProtect inside the kernelbase.dll, not ntdll.dll or krenel32.dll,” he explained.
Microsoft representatives have responded by highlighting the fact that EMET is not a shield that's guaranteed to mitigate all attacks, but a way to ensure that the development of exploits is more difficult and expensive.
“Most recently, we incorporated a BlueHat Prize finalist’s technology into EMET 3.5 Technology Preview to further enhance the tool’s capabilities as we work to finalize the latest product version. The security mitigation technologies implemented by EMET increase the cost for attackers to develop a successful exploit,” Yunsun Wee said.
The fact that EMET’s purpose is to increase the cost of exploits is also reinforced by the description of the ROPGuard technology described in a blog post on July 26.
“ROP mitigations that rely on introducing new checks to critical functions are not considered to be robust over the long term. The checks proposed by this submission and in previous research are capable of mitigating ROP payloads that are used today, but it is expected that attackers would be able to adapt to these checks at relatively low cost,” the post reads.
“For example, a fundamental problem with this type of approach is that an attacker could attempt to call a lower level API that has not been instrumented by the checks. A variant of this bypass is to transfer control after the instruction block that performs the checks (depending on how the checks have been added).”
Here is the video in which Jalayeri demonstrates his findings: