Flawed code hooking engines open endpoints to compromise

Six common security issues stemming from the incorrect implementation of code hooking and injection techniques have been unearthed by EnSilo researchers in over 15 different products, including anti-virus (AV) and anti-exploitation solutions, data loss prevention software (DLP) and host-based intrusion-prevention systems (HIPS).

code hooking

The fact that some of these issues also affect three different hooking engines, including the most popular one (Microsoft Detours), means that thousands of product are likely affected – and not just security ones.

Among the known affected products are (or were – some have already been patched): McAfee’s and Kaspersky’s AV solutions, security software by Symantec and Trend Micro, Bitdefender, AVG, Avast, Webroot, Emsisoft, Vera, Citrix’s XenDesktop, and Microsoft’s hooking engine Detours (scheduled to be patched in August).

EnSilo didn’t share any details about the discovered vulnerabilities – the researchers will present them at Black Hat USA 2016 – but said that most of these could allow an attacker to easily bypass the operating system and third-party exploit mitigations, and the worst ones would allow him to remain undetected on the victim’s machine or to inject code into any process in the system.

What is hooking, and what are these injection techniques they are talking about?

“Hooking is a technique used by software, such as products that do virtualization, sandboxing and performance monitoring, to monitor and/or change the behavior of operating system functions in order to operate effectively,” the researchers explained.

“The use of hooks allows intrusive software to intercept and monitor sensitive API calls. In particular, security products use hooking to detect malicious activity. For example, most Anti-Exploitation solutions monitor memory allocation functions, such as VirtualAlloc and VirtualProtect, in an attempt to detect vulnerability exploitation.”

Hooking is also used by malware (e.g. Duqu, TDL, ZeroAccess). And different injection techniques are used to inject the hooking engine – usually in the form of a DLL – into the process address space, as explained in detail in a document sent us by the researchers.

“Kernel-to-user injections are not trivial to implement and accordingly, some of the most severe issues that we found were not in the hooking engine itself but rather in the implementation of the kernel-to-user injection,” the researchers noted.

The discovered issues have to be mitigated by the affected software’s developers – the only thing users can do to improve this situation is to badger them for a patch and implement it as soon it’s provided.

The researchers have pointed out the issues to many vendors, and some of them have already fixed them, even though in some cases they had to recompile each product.

Update: Thursday, July 21, 3:40 AM ET.

“Webroot has fully patched this vulnerability. enSilo contacted us about this vulnerability during the last week of December, and our team had it corrected the following week,” Eric Klonowski, Senior Advanced Threat Research Analyst at Webroot, told Help Net Security.

“The vulnerability in question was fixed in our anti-virus engine in a stable update on March 18th, 2016,” Emsisoft’s Arthur Wilkinson also told us. “While the changelog doesn’t specifically say which vulnerability was fixed (we didn’t want to disclose specifics due to the impact of the issue), the update is listed on our changeblog.

Black Hat USA 2016

Don't miss