1. #1
    hackerman1 is offline Moderator
    Join Date
    Dec 2008
    Location
    Sweden
    Posts
    1,525

    Default Bypassing EMET With a Single Instruction !

    Background information

    The Enhanced Mitigation Experience Toolkit

    Microsoft´s Enhanced Mitigation Experience Toolkit (EMET) is a utility that helps prevent vulnerabilities in software from being successfully exploited.
    EMET achieves this goal by using security mitigation technologies.
    These technologies function as special protections and obstacles that an exploit author must defeat to exploit software vulnerabilities.
    These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited.
    However, they work to make exploitation as difficult as possible to perform.
    EMET also provides a configurable SSL/TLS certificate pinning feature that is called Certificate Trust.
    This feature is intended to detect (and stop, with EMET 5.0) man-in-the-middle attacks that are leveraging the public key infrastructure (PKI).

    More info: EMET


    Bypassing EMET

    Summary

    While much of public vulnerability research focuses on pure 32-bit app exploitation,
    the fact is, a significant portion of 32-bit software is now running on 64-bit operating systems.
    In this report, we’ll demonstrate a technique to bypass all payload/shellcode execution and ROP-related mitigations provided by EMET,
    using the WoW64 compatibility layer provided in 64-bit Windows editions.
    To demonstrate how we can bypass EMET by abusing WoW64, we’ll modify an existing use-after-free Adobe Flash exploit.
    We’ll also discuss limitations and avenues of exploitation, obfuscation, and antiemulation imposed by WoW64 on 32-bit applications.

    Notable Findings and Recommendations

    Based on Duo’s data, we found that 80 percent of browsers were 32-bit processes executing on a 64-bit host system (running under WoW64).
    While EMET can complicate exploitation techniques in true 32 and 64-bit apps, the mitigations are less effective under the WoW64 subsystem,
    and require major modifications to how EMET works.
    The use of a 64-bit ROP chain and secondary stage make it simple to bypass EMET’s mitigations.
    We urge more researchers to treat WoW64 as a unique architecture when considering an application’s threat model.
    And while not a panacea, 64-bit software does make some aspects of exploitation more difficult, and provides other security benefits.
    Additionally, despite finding a bypass, using EMET is still an important part of a defense in depth security strategy.

    Full story: Bypassing EMET With a Single Instruction, (PDF, 388kb)
    Last edited by hackerman1; 6th November 2015 at 16:54.

  2. #2
    HappyAndyK's Avatar
    HappyAndyK is offline Site Administrator
    Join Date
    Jun 2008
    Posts
    7,289

    Default

    Yes - I read about this earlier. Hope they fix it soon!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Log in

Log in

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22