Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) is a good piece of software and helpful for protecting non-kernel Microsoft applications and third-party software, but the protection it offers can also be bypassed completely if the attackers know what they are doing, claim researchers from security firm Bromium.
“EMET adds special protections (for 32bit processes only) against a relatively new hacker technique known as ROP (return oriented programming),” Bromium’s Jared DeMott explained in a blog post.
“ROP based exploitation has been rampant in malware to bypass the ALSR+DEP protections. Most of the in-the-wild malware uncovered in the past year used a variant of ROP techniques. EMET adds other useful protections (like force ASLR and DEP) as well, but many of those are already present in their newest Operating system, Windows 8.1. And thus, EMET particularly excels for older platforms like Windows XP.”
Like any other software, EMET has its limitations, and the researchers wanted to see whether it is capable of deflecting customised attacks.
Bromium researchers, who worked with Microsoft on this research, have created attack code exploiting an old (and patched) use-after-free Internet Explorer bug (CVE-2012-4969) to bypass all of 12 EMET’s protections.
There is a public Metasploit exploit module for this bug, but it’s blocked by EMET. The researchers based theirs on a more sophisticated one created by Peter Vreugdenhil of Exodus Intelligence (and initially blocked by the security software).
“We were curious to see if the exploit could be enhanced to bypass EMET 4.1,” the researchers said. “Primarily of interest, we wanted to see if we could develop a generic EMET bypass technique for the stack pivot check, because this protection has not been publically bypassed to our knowledge.”
And they did it. The results of their research has been presented on Monday at the BSides conference in San Francisco, and have been acknowledged by Microsoft, whose developers will be trying to fix the unearthed issues in the next EMET version.
Those interested in learning more about Bromium’s research – but not the attack code itself, as it has naturally not been published – can download the whitepaper.