Tuesday, November 18, 2014

Bypassing Microsoft EMET 5.1 - yet again

The experts of the SEC Consult Vulnerability Lab managed to adapt the EMET 5.0 bypasses to also work against the latest Microsoft EMET 5.1 and already presented the first analysis results at ZeroNights 2014 in Russia.

A first and quick analysis showed that the new release of EMET 5.1 only adds code to prevent a specific bypass method to disable all ROP protections. Because the exploit was developed by SEC Consult to be very flexible and configurable it's possible to change the exploit configuration to use other developed bypass methods or to bypass all protections separately. To ensure a maximum of reliability the default configuration is set to bypass all protections separately and therefore no changes were required to bypass the current EMET 5.1 protections.

In addition, EMET 5.1 introduced a technique which should break our method to identify the base address of EMET.dll. Our method works by following the hooking code of critical functions from EMET until a pointer to the .text section of EMET.dll is found. Then a scan-down approach is used where the page size is subtracted from the pointer until the PE header is found.

To fix this technique Microsoft forces a hole between the PE header and the .text section of EMET.dll. As soon as the scan-down code tries to access this hole a segmentation fault occurs because of accessing unmapped memory.

Bypassing this technique is quite easy, instead of searching for the PE header the start of the .text section can be retrieved. After that the page size must be subtracted twice (the hole has a fixed size of one page as well as the memory associated with the PE header) to reach the imagebase. It was possible to analyse this new protection and modify the code within just 40 minutes by adding 10 additional lines of code.

Further details will be presented at DeepSec 2014 in Vienna, Austria, on 20th November and at 31C3 in Hamburg, Germany, end of December!