Microsoft Subnet An independent Microsoft community View more

Former BlueHat Prize winner pwns Microsoft, researcher bypasses all EMET protections

Security researcher Jared DeMott, who formerly won third place in the BlueHat prize, showed how to attack and bypass all of EMET's protections.

At BSides security conference in San Francisco, Bromium Labs' security researcher Jared DeMott showed attack code capable of bypassing "all of the protections" in Microsoft's free Enhanced Mitigation Experience Toolkit (EMET) 4.1.

Many people believe EMET can prevent attackers from exploiting holes, such as zero-days spotted in the wild, and gaining access to computer systems, but it has been bypassed before; Microsoft pointed out, "EMET is not a shield that's guaranteed to mitigate all attacks, but a way to ensure that the development of exploits is more difficult and expensive."

Bromium Labs wrote:

We found that EMET was very good at stopping pre-existing memory corruption attacks (a type of hacker exploit). But we wondered: is it possible for a slightly more technical attacker to bypass the protections offered in EMET? And yes, we found ways to bypass all of the protections in EMET.

According to Bypassing EMET 4.1 [pdf], "Each EMET rule is a check for a certain behavior. If alternate behaviors can achieve the attacker objectives, bypasses are possible." Not only does the whitepaper give the technical details, it also includes an especially amusing payload bypass message:

Back in 2012, DeMott was awarded third place in the BlueHat prize. Microsoft originally planned to give DeMott an MSDN subscription valued at $10,000, but after the crowd loudly booed that prize, Microsoft added $10,000 to the MSDN subscription.

Jared DeMott receiving 3rd place BlueHat Prize

Although DeMott doesn't suggest anything like "Microsoft killed my Pappy," the whitepaper does mention that the return oriented programming (ROP) protections from the BlueHat $50,000 second prize winner, which "made it into EMET, do not stop ROP at all. The notion of checking at critical points is akin to treating the symptoms of a cold, rather than curing the cold. Perhaps one of the other prize submissions would have better addressed the problem of code reuse."

Both that little dig and the pwnage message seemed amusing to me.

Bromium Labs wrote:

The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code offer little lasting protection. This is true of EMET and other similar userland protections. That's because a defense that is running in the same space as potentially malicious code can typically be bypassed, since there's no "higher" ground advantage as there would be from a kernel or hypervisor protection. We hope this study helps the broader community understand the facts when making a decision about which protections to use.

The researchers made four recommendations: EMET should set virtual memory (Hook NtProtectVirtualMemory) protection by default; "create a new EAF protection scheme (even though that still wouldn't stop shellcode that doesn't use EA resolution); check more than one CALL deep to see if code was RETed into; and expand ROP mitigations to 64-bit code." DeMott added, "But even with those fixes, many of the weaknesses are generic in nature and unlikely to be sufficiently addressed by userland protection technologies like EMET."

EMET 4.1, which was released in Nov. 2013, supposedly has a setting that is capable of preventing Bromium Labs' bypasses, according to Jonathan Ness, principal security development manager for Microsoft Trustworthy Computing. "Microsoft collaborated with Bromium on their latest research to ensure continued protection for our customers. The Enhanced Mitigation Experience Toolkit (EMET) 4.1 contains a setting to address this issue and help customers with their ongoing defense-in-depth strategies."

Microsoft "quietly" just paid its second $100,000 bounty to security researcher Yu Yang on Valentine's Day, but it doesn't sound like DeMott will be awarded such a bounty. Instead, Microsoft is supposed to credit Bromium Labs' research when EMET 5.0 is released. When that might happen, however, is anyone's guess.

DeMott did add a personal note to Bypassing EMET 4.1 [pdf]. "Though EMET is far from perfect, I personally see Microsoft making more of an effort toward security compared to other large vendors; for that I applaud them."

Like this? Here's more posts:

Follow me on Twitter @PrivacyFanatic

Join the discussion
Be the first to comment on this article. Our Commenting Policies