A security researchers has discovered a pair of methods that enable him to bypass the protections offered by Microsoft’s EMET anti-exploit technology. The Enhanced Mitigation Experience Toolkit, which Microsoft updated late last month to include one of the three technologies that were finalists in the company’s BlueHat Prize competition, is designed to prevent certain kinds of exploits from hitting software vulnerabilities. But now a researcher has developed two techniques that can bypass the protections.
EMET protects existing software applications by enabling them to take advantage of exploit mitigations such as DEP (data execution prevention) even though the applications weren’t compiled with the protections enabled. It can be deployed across an enterprise and administrators can opt in specific applications to EMET’s protections.
Last month, just before the Black Hat conference, Microsoft added several new mitigations to EMET that are meant to protect against so-called return-oriented programming attacks. One of the new mitigations was the execution flow simulation mitigation, which Microsoft officials said can help protect against some kinds of existing ROP attacks.
“This mitigation tries to detect ROP gadgets following a call to a critical function. It works by emulating a specified number of instructions at the return address of the caller of a critical function. The number of instructions to emulate can be configured manually by editing the desired application’s registry key and creating the “SimExecFlowCount” DWORD value,” Elias Bachaalany of the Microsoft Security Response Center engineering team wrote in an anlysis of the mitigation.
A researcher in Iran has posted two exploits he developed that can bypass the protections in the newest version of EMET. The researcher, Shahriyar Jalayeri, said that he used an exploit for CVE-2011-1260, a flaw in Internet Explorer, in order to demonstrate the bypass.
“EMET’s ROP mitigation works around hooking certain APIs (Like VirtualProtect) with Shim Engine and monitors their initialization.I have used SHARED_USER_DATA which mapped at fixed address “0x7FFE0000″ to find KiFastSystemCall address (SystemCallStub at “0x7FFE0300″), So I could call any syscall by now! By calling ZwProtectVirtualMemory’s SYSCALL “0x0D7″, I made shellcode’s memory address RWX. After this step I could execute any instruction I wanted. But to execute actual shellcode (with hooked APIs like “WinExec”) I did patched EMET to be deactivated completely. BOOM!,” Jalayeri wrote in a blog post on his technique.
After developing his method for deactivating EMET, Jalayeri later wrote an exploit that completely bypasses EMET 3.5.
“It seems MS was aware of this kind of bypasses, so I bypassed EMET ROP mitigations using another EMET’s implementation mistake. EMET team forget about the KernelBase.dll and left all its functions unprotected. so I used@antic0de‘s method for finding base address of kernelbase.dll at run-time, then I used VirtualProtect inside the kernelbase.dll, not ntdll.dll or kernel32.dll,” he wrote.
As part of its BlueHat Prize contest, Microsoft awarded $260,000 in prizes to the three finalists, including $200,000 to the winner, Vasillis Pappas. All three of the finalists’ submissions were designed to mitigate ROP techniques, and Microsoft will be using Pappas’s submission, kBouncer, in some way in the future.