Researchers Develop Complete Microsoft EMET Bypass

Researchers at Bromium Labs are expected to deliver a paper today that explains how they were able to bypass all of the memory protection mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit

SAN FRANCISCO — Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft’s Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is scheduled to deliver a presentation this morning at the Security BSides conference explaining how the company’s researchers were able to bypass all of the memory protections offered within the free Windows toolkit.

The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer.

EMET is not meant to be permanent fix, instead it is supposed to terminate or block actions by malware or exploits threatening previously unreported vulnerabilities until a patch is available.

Microsoft is expected to release the latest version of EMET this week during the RSA Conference; Rahul Kashyap, chief security architect at Bromium, said the company has been working closely with Microsoft and expects the vulnerability to be addressed in the new EMET release.

EMET comes with a dozen different mitigations starting with Data Execution Prevention and Address Space Layout Randomization, two key memory protections in Windows, as well as a handful of mitigations against return-oriented programming (ROP), heap spray and SEHOP mitigations, and more.

Kashyap said Bromium’s bypass bypasses all of EMET’s mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool.

“We analyzed all of the protections, and took an IE exploit and then we kept on tweaking the exploit payload until we were able to bypass all the mitigations available in EMET,” Kashyap said. “Everything is bypassed in its latest version.”

Kashyap said EMET has raised the bar significantly for exploit writers trying to beat Windows’ protections. Malware writers, such as those behind Operation SnowMan targeting the latest IE zero-day, have taken to adding to modules that scan computers for EMET libraries and will not execute if EMET is installed.

“EMET, like any other tool, needs to know exploitation vectors to be able to block them. We tried to attack that very core, fundamental architectural drawback that most tools today have, which is you need to be detect an exploit in order to protect,” Kashyap said. “In this case, we studied the mitigations available in EMET and then we tweaked a payload to create a new vector variant which could bypass the existing mitigations.”

In a paper released today, DeMott explained that the researchers intended initially to target just the five ROP protections in EMET with a real-world browser exploit. The project grew to include all relevant protections including stack pivot protection, shellcode complete with an EAF bypass and more, DeMott wrote.

“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection,” DeMott wrote. “This is true of EMET and other similar userland protections.”

Bromium said its research focused on 32-bit Windows 7 systems running EMET 4.0 and 4.1 (ROP protection is not implemented for 64-bit processes, the paper said.). ROP is an exploitation technique that evolved from ret2libc, which enables an attacker to inject and execute code by re-using code that already exists. The ROP technique changes executable permissions in memory space, DeMott explained in the paper, in order to execute the attacker’s code located elsewhere. An attacker must chain together a series of processes in order for ROP to succeed.

EMET has been bypassed numerous times before. Researcher Aaron Portnoy, cofounder of Exodus Intelligence, presented a paper during last year’s SummerCon that explained a number of EMET bypasses. Two years ago, a researcher in Iran named Shahriyar Jalayeri reported two bypasses of EMET’s five ROP protections.

You can expect researchers to continue to try to poke holes in EMET. The upcoming Pwn2Own contest at the CanSecWest Conference is offering a $150,000 grand prize to anyone able to bypass EMET running on Windows 8.1 and Internet Explorer 11.

Suggested articles

biggest headlines 2020

The 5 Most-Wanted Threatpost Stories of 2020

A look back at what was hot with readers — offering a snapshot of the security stories that were most top-of-mind for security professionals and consumers throughout the year.