EMET (Enhanced Mitigation Experience Toolkit) is an application which can be used to further harden a Windows system by adding additional security protections to running processes. These protections include several ROP (Return-Oriented-Programming) checks, shellcode detection mechansims, heap-spray mitigations and many more.
The talk covers techniques to bypass EMET 5.1 (the current version) and shows the audience how hard/easy it is for an attacker to accomplish this.
The Enhanced Mitigation Experience Toolkit (EMET) is an application developed by Microsoft which adds an additional layer of security to applications to prevent attackers exploiting vulnerabilities in them.
It can be used to globally enable system mitigation techniques such as Address Space Layout Randomization (ASLR), Data Execution Prevention (DEP) or Structured Exception Handler Overwrite Protection (SEHOP). In addition special per-process protections can be added such as various Return-Oriented-Programming (ROP) protections (LoadLibrary, MemProt, Caller, SimExecFlow, StackPivot), Export Address Table Access Filtering (EAF and EAF+) to prevent execution of shellcode, pre-allocations to defeat heap spraying and kernel exploitation, additional randomization (bottom-up randomization and mandatory ASLR) and advanced mitigations (deep hooks, anti detours and banned functions) to prevent different types of attacks.
If an application supports DEP together with full ASLR the difficulty to write a reliable exploit increases dramatically. The typical approach to defeat DEP is to use ROP to disable it. ROP builds on the idea to return (or jump) to small so-called gadgets (which are equal to already existing code from the code-section which end with a return or jump instruction) to chain these gadgets together to build new logic (like logic to disable DEP). If ASLR is supported by all modules of the application this approach can't be applied because the address of such gadgets is randomized by ASLR and thus unknown by the attacker. In such a case the vulnerability must be turned into an information disclosure vulnerability to first disclose an address to defeat ASLR. Techniques to accomplish this (e.g. partial overwrites, overwriting the length field of strings, ...) have already been discussed in the past and thus will not be focus of this talk.
Instead further techniques will be discussed which can be used to bypass the additional per-process protections of EMET. To apply these techniques a vulnerability which allows code execution as well as leaking information (to bypass ASLR) is required. These requirements are satisfied per default because otherwise writing an exploit for a not-EMET protected application would be impossible.
The aim of this talk is to demonstrate new and more reliable exploitation techniques as well as discussing in which situations already existing techniques can be applied in a reliable way.
An important approach of exploit developers is to write bypasses in a way that they can easily be ported to other exploits. For example, if a technique requires jumping to already existing code a dumb approach would be to build it application specific. Instead the technique can be built on top of the EMET library which gets injected into all protected applications and thus is a good target to minimize work load because the code for the bypass must only be written one time. To apply such techniques various methods to identify the presence, retrieving the imagebase as well as the version of EMET will be shown.
EMET also supports none memory corruption related protection techniques (like Attack Surface Reduction ASR and certificate pinning), however these will not be discussed during the talk because the focus of the talk is on memory corruption exploitation (e.g. buffer overflows, use-after-free bugs, type confusion attacks and so on).
All techniques are implemented and demonstrated in a real-world Firefox exploit. Even if the vulnerability is older (we at SEC Consult don't want to publish reliable working exploit code for applications which are still in-use these days) it is a very interesting vulnerability to study and together with a highly configurable exploit it's easy to see the different techniques in action. The exploit works reliable against any Windows operating system (Windows XP, Windows Vista, Windows 7, Windows 8, Server 2003, Server 2008, Server 2012, ...), on 32-bit as well as on 64-bit architectures and is able to bypass EMET in all versions (EMET 4.1, 5.0 and 5.1) with all protections enabled.
Microsoft as well as other vendors typically suggest as a workaround for new memory corruption vulnerabilities to install EMET to protect the application. The aim of the presentation is to show the audience that attackers can still exploit such protected applications by using one of the many existing techniques.
We at SEC Consult do not believe in putting additional security layers like EMET, DEP, ASLR, application firewalls and so on on top of applications. Rather we demand from software developers and especially from the software industry itself to focus on secure software development instead of forcing their customers to create a chain of security layers to protect their software product.
Protections such as EMET, DEP and ASLR are useful to add an additional hurdle for attackers but are not unbreakable.