6th November 2015, 16:50 #1
Bypassing EMET With a Single Instruction !
The Enhanced Mitigation Experience Toolkit
Microsoft´s Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited.
EMET achieves this goal by using security mitigation technologies.
These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities.
These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited.
However, they work to make exploitation as difficult as possible to perform.
EMET also provides a configurable SSL/TLS certificate pinning feature that is called Certificate Trust.
This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).
More info: EMET
While much of public vulnerability research focuses on pure 32-bit app exploitation,
the fact is, a significant portion of 32-bit software is now running on 64-bit operating systems.
In this report, we’ll demonstrate a technique to bypass all payload/shellcode execution and ROP-related mitigations provided by EMET,
using the WoW64 compatibility layer provided in 64-bit Windows editions.
To demonstrate how we can bypass EMET by abusing WoW64, we’ll modify an existing use-after-free Adobe Flash exploit.
We’ll also discuss limitations and avenues of exploitation, obfuscation, and antiemulation imposed by WoW64 on 32-bit applications.
Notable Findings and Recommendations
Based on Duo’s data, we found that 80 percent of browsers were 32-bit processes executing on a 64-bit host system (running under WoW64).
While EMET can complicate exploitation techniques in true 32 and 64-bit apps, the mitigations are less effective under the WoW64 subsystem,
and require major modifications to how EMET works.
The use of a 64-bit ROP chain and secondary stage make it simple to bypass EMET’s mitigations.
We urge more researchers to treat WoW64 as a unique architecture when considering an application’s threat model.
And while not a panacea, 64-bit software does make some aspects of exploitation more difficult, and provides other security benefits.
Additionally, despite finding a bypass, using EMET is still an important part of a defense in depth security strategy.
Full story: Bypassing EMET With a Single Instruction, (PDF, 388kb)
Last edited by hackerman1; 6th November 2015 at 16:54.
8th November 2015, 17:03 #2
Yes - I read about this earlier. Hope they fix it soon!