Exploits bypassing Microsoft’s Enhanced Mitigation Experience Toolkit, or EMET, are quickly becoming a parlor game for security researchers. With increasing frequency, white hats are poking holes in EMET, and to its credit, Microsoft has been quick to not only address those issues but challenge and reward researchers who successfully submit bypasses to its bounty program.
The tide may be turning, however, if the latest Internet Explorer zero day is any indication. An exploit used as part of the Operation SnowMan espionage campaign against U.S. military targets contained a feature that checked whether an EMET library was running on the compromised host, and if so, the attack would not execute.
That’s not the same as an in-the-wild exploit for EMET, but that may not be too far down the road, especially when you take into consideration two important factors: Microsoft continues to market EMET as an effective and temporary zero-day mitigation until a patch is released; and the impending end-of-life of Windows XP on April 8 could spark a surge in EMET installations as a stopgap.
In the meantime, the EMET bypasses keep on coming. The latest targeted a couple of mitigations in the EMET 5.0 Technical Preview released last week during RSA Conference 2014. Researchers at Exodus Intelligence refused to share much in the way of details on the exploit, preferring to offer it to its customers before making it available for public consumption. A tweet from cofounder and vice president of operations Peter Vreugdenhil said: “EMET 5 bypassed with 20 ROP gadgets. ntdll only, esp points to heap containing fake stack, no other regs required. Adding to our feed soon.”
Vreugdenhil is a fan of EMET, and is in the camp that believes hackers will be adding EMET bypasses to exploits within a year or two, despite the EMET module in Operation SnowMan, which he believes was added in order to keep the campaign from being detected as long as possible.
“I think most of the reason is that the return on investment for the bad guys is really not that high at this point,” Vreugdenhil said. “That also means that by the time everybody actually uses [EMET] and the more ground it gains, the more likely it becomes that return on investment for the bad guys will be high enough for them to add it to their exploits.”
EMET provides users with a dozen mitigations against memory-based exploits, including ASLR, DEP, Export Address Table Filtering, Heapspray Allocation, and five return-oriented programming mitigations. ROP chains are the most effective bypass technique is use today, one that Vreugdenhil has used on a couple of occasions against EMET.
Writing exploits targeting EMET, he said, is a little more involved than targeting a vulnerability in third-party software such as Flash or Java. Vreugdenhil said he generally starts with a publicly available exploit such as the latest IE 10 zero day and observes the crash the bug causes in order to understand how it corrupts memory and hopefully discloses memory that can be used to build an ROP chain. Microsoft’s addition of Data Execution Prevention and ASLR in Windows Vista and Windows 7 prevents attackers from executing code in a particular memory location because those memory modules are now randomized.
“Back in Windows XP when there was no ASLR and no randomization of the modules, it was relatively easy. You would just pick a module and then reuse the code inside that module to still get code execution,” Vreugdenhil said. “Windows 7 came out and put the bar higher by shuffling the modules around, so theoretically, you didn’t know where your modules were in the process. It theoretically should be impossible to point at an address and say ‘Hey would you execute code at that address because I know there’s something going to be there.’”
If an attacker can force a process to leak memory from inside back to an exploit, the attacker will be able to reuse that information and bypass ASLR and DEP because he will know where the memory module is located, Vreugdenhil said. From there, an attacker needs to figure out additional memory protections in place, and address those to control the underlying system.
“In the case of EMET, there’s a long list of protection mechanisms it adds, there’s only two or three that could be a hindrance if you’re writing a client-side IE exploit. And so it’s usually just a matter of figuring out what they are and coming up with ways to sidestep them,” Vreugdenhil said. “If we can do it, we assume there’s many more people who can do it, and it’s also going to be used by the bad guys anywhere between now and a year or two years.”