There are potentially two ways for an attacker to exploit protections offered by Microsoft’s EMET anti-exploit technology.
EMET (Enhanced Mitigation Experience Toolkit), which Microsoft updated late last month to include one of the three technologies that were finalists in the company’s BlueHat Prize competition, prevents certain kinds of exploits from hitting software vulnerabilities.
A researcher, however, developed two techniques that can bypass the protections.
EMET protects existing software applications by enabling them to take advantage of exploit mitigations such as DEP (data execution prevention) even though the applications were not compiled with the protections enabled. It can deploy across an enterprise and administrators can opt in specific applications to EMET’s protections.
Last month, just before the Black Hat conference, Microsoft added several new mitigations to EMET meant to protect against return-oriented programming attacks. One of the new mitigations was the execution flow simulation mitigation, which Microsoft officials said can help protect against some kinds of existing ROP attacks.
“This mitigation tries to detect ROP gadgets following a call to a critical function. It works by emulating a specified number of instructions at the return address of the caller of a critical function. The number of instructions to emulate can be configured manually by editing the desired application’s registry key and creating the ‘SimExecFlowCount’ DWORD value,” said Elias Bachaalany of the Microsoft Security Response Center engineering team.
A researcher in Iran posted two exploits he developed that can bypass the protections in the newest version of EMET. The researcher, Shahriyar Jalayeri, said he used an exploit for CVE-2011-1260, a flaw in Internet Explorer, in order to demonstrate the bypass.
“EMET’s ROP mitigation works around hooking certain APIs (Like VirtualProtect) with Shim Engine and monitors their initialization.I have used SHARED_USER_DATA which mapped at fixed address ‘0x7FFE0000’ to find KiFastSystemCall address (SystemCallStub at “0x7FFE0300″), So I could call any syscall by now! By calling ZwProtectVirtualMemory’s SYSCALL ‘0x0D7,’ I made shellcode’s memory address RWX. After this step I could execute any instruction I wanted. But to execute actual shellcode (with hooked APIs like “WinExec”) I did patched EMET to be deactivated completely,” Jalayeri said.
After developing his method for deactivating EMET, Jalayeri later wrote an exploit that completely bypasses EMET 3.5.
“It seems MS was aware of this kind of bypasses, so I bypassed EMET ROP mitigations using another EMET’s implementation mistake. EMET team forget about the KernelBase.dll and left all its functions unprotected. So I used @antic0de’s method for finding base address of kernelbase.dll at run-time, then I used VirtualProtect inside the kernelbase.dll, not ntdll.dll or kernel32.dll,” he said.