Monday, June 22, 2015

Bypassing Microsoft EMET 5.2 - a neverending story?

The experts of the SEC Consult Vulnerability Lab managed to adapt the EMET 5.0 / 5.1 bypasses to additionally work against the latest Microsoft EMET version which is 5.2. Results of the research were already presented this year at NorthSec 2015 in Montreal.

Since EMET 5.2 didn't fix any of the identified bypass techniques developed by the SEC Consult experts, migration of the bypasses was quite trivial.

With the introduction of EMET 5.1 Microsoft tried to break the "scan-down" approach (used to retrieve the image base of EMET.dll) by forcing a hole between the code section and the PE header. To circumvent this the new bypass techniques searched for the start of the code section instead of the PE header. This was done by using the hardcoded byte sequence from the start of the EMET 5.1 code section. Because the start of the code section changed with EMET 5.2, this pattern had to be updated to make the exploit work again. This was the only required modification to adapt the bypasses from EMET 5.1 to EMET 5.2.

The approach of hardcoding patterns from the code section is not recommended because it requires a modification of the exploit as soon as a new version of EMET gets released. Therefore SEC Consult later developed a more reliable technique to identify the start of the code section without using hardcoded patterns.