Complete Microsoft EMET Bypass Developed

← Back to Stories (view on slashdot.org)

Complete Microsoft EMET Bypass Developed

Posted by Unknown on Monday February 24, 2014 @03:04PM from the just-a-teeny-tiny-bug dept.

msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."

50 of 116 comments (clear)

Min score:

Reason:

Sort:

Is anyone surprised? by Anonymous Coward · 2014-02-24 15:07 · Score: 5, Interesting

EMET is just a bunch of industry-standard mitigations (e.g. the kind of thing you get on Linux with grsecurity) - and several of them poorly implemented at that. They're mitigations - they make exploits harder, not impossible.
If you rely on EMET for security, you're doing it wrong. Stuff like EMET is just a speed bump. It's good to have, it should be enabled by default, and we should stop treating it like some magic "security on" switch.
1. Re:Is anyone surprised? by TapeCutter · 2014-02-24 15:53 · Score: 2
  
  Yep, just one more step in a never ending arms race.
  
  --
  And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
2. Re:Is anyone surprised? by Anonymous Coward · 2014-02-24 15:56 · Score: 1
  
  The same could be said for Linux (grsecurity being a patcheset against vanilla Linux). OpenBSD enables these measures by default, which shook out tons of bugs in ports/ software. They're just good measures, period, but obviously not a panacea.
3. Re:Is anyone surprised? by cheater512 · 2014-02-24 16:15 · Score: 5, Insightful
  
  I disagree. It is like changing the SSH port.
  It gives the *illusion* of security, which makes people slack.
  E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.
  I avoid smoke and mirrors security as much as possible.
4. Re:Is anyone surprised? by Anonymous Coward · 2014-02-24 16:22 · Score: 1
  
  So it is just like using HOSTS files yet another illusion of security promoted by idiots.
5. Re:Is anyone surprised? by Tanktalus · 2014-02-24 16:23 · Score: 5, Insightful
  
  So, you don't use a club on your steering wheel, you don't bother hiding valuables in your trunk, leaving them in plain view, and, really, since a professional can get in the car anyway, just leave the doors unlocked. It's all smoke and mirrors anyway.
  If a malicious attacker/user is portscanning your system and finds that port 22 is open, they're going to assume an ssh attack. If they find port 1234, they may move on to another target that has port 22 open instead. Of course, if they're really after you, and not just throwing a wide net, then such shenanigans aren't going to stop them, though it might slow them down for a little while while they try to figure out what's listening on which non-standard port.
  If a script kiddie is doing the same, most likely port 1234 would be enough to fool them, and they'd never get in.
  Seems like smoke and mirrors are a useful tool in a secure system's administration, but should never be the sole tool.
6. Re:Is anyone surprised? by ichthus · 2014-02-24 16:31 · Score: 2
  
  Exactly. It's like burying the spare key in your garden, as opposed to putting it under the door mat. It's security through obscurity, but it IS effective.
  
  --
  sig: sauer
7. Re:Is anyone surprised? by Anonymous Coward · 2014-02-24 17:02 · Score: 1
  
  Changing the SSH port is effective in reducing the number of entries in your log files. It's not effective in increasing your security. I do find the log file thing a great enough benefit to go ahead and do this.
8. Re:Is anyone surprised? by Anonymous Coward · 2014-02-24 17:06 · Score: 4, Informative
  
  I disagree. It is like changing the SSH port.
  It gives the *illusion* of security, which makes people slack. E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.
  I avoid smoke and mirrors security as much as possible.
  more fool you. smoke and mirrors despite its negative security connotations is actually an invaluable security mechanism that is denigrated by those that don't know better. Something as simple as a port change while providing no real security improvement does immediately negate a whole heap of script kiddies and automated tools that instantly pop up when a new exploit is discovered, yes it offers nothing against a targeted attack, but most attacks are NOT specifically targeted, they hunt for easy victims on known common configurations. Every tool that reduces even the most basic of attacks SHOULD be something you value in your arsenal.
9. Re:Is anyone surprised? by cheater512 · 2014-02-24 17:40 · Score: 3, Informative
  
  Erm you do know that SSH broadcasts it's presence as soon as you connect right?
  Try "telnet server.com 22" and you'll see how nice and obvious it is that you've found a SSH server.
  You'll get a nice banner like "SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1"
  The moment the port scan finds it, they know it is SSH.
10. Re:Is anyone surprised? by cheater512 · 2014-02-24 17:43 · Score: 1
  
  If you expose easily exploited stuff, you deserve to get owned.
  They try stuff like username 'admin' password '123456'. If that is a issue for your server you are an idiot.
  If you say use SSH keys then you don't have to give the script kiddies and automated attacks a second thought - they will *never* get in.
11. Re:Is anyone surprised? by Anonymous Coward · 2014-02-24 17:59 · Score: 1
  
  The point is someone has to do a full port scan. check most of the worms and exploit kits out there, they don't both with a port scan as they know exactly what port 99.99% of web servers run on and what 99% of SSH and RDP servers run on. The most likely victims are ones that use default configs and default configs also mean default ports, why spend precious cycles port scanning when there are 10,000 other soft targets you could have scanned in that time.
12. Re:Is anyone surprised? by noh8rz10 · 2014-02-24 18:13 · Score: 1
  
  HOSTS are the key to everything! $10,000 challenge!
13. Re:Is anyone surprised? by WuphonsReach · 2014-02-24 19:02 · Score: 1
  
  Changing the SSH port is effective in reducing the number of entries in your log files. It's not effective in increasing your security. I do find the log file thing a great enough benefit to go ahead and do this.
  
  It removes your system from being the low-hanging fruit on the bottom branch, to something harder to reach from the ground. That it also lessens the amount of entries in the log files is a nice bonus. Instead of being attacked a few hundred times per day on the standard port, now you're only being attacked maybe once per week.
  
  (And usually far less then that... we never see brute-force attempts on our non-standard SSH ports. Combined with public-key pairs, SSH is probably not the weakest link on the system.)
  
  --
  Wolde you bothe eate your cake, and have your cake?
14. Re:Is anyone surprised? by marsu_k · 2014-02-24 22:35 · Score: 5, Funny
  
  Shhhh, quiet, you'll summon APK. I've heard if you say "HOSTS file" in front of a mirror three times he'll appear in person.
15. Re:Is anyone surprised? by gweihir · 2014-02-24 23:18 · Score: 1
  
  EMET is a dirty hack to fix a host of real problems. It is not surprising it does not really work. The only approach that works is not to have those easily exploited vulnerabilities in the first place. That requires developers with a strong security mind-set and a very conservative attitude towards new features. Microsoft lacks both.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
16. Re:Is anyone surprised? by jbmartin6 · 2014-02-25 01:50 · Score: 1
  
  Not to mention log files with less noise are more likely to be monitored and have an effective response in place for incidents. A noisy log file full of Internet-wide scripted attacks will likely be ignored even if there is a more dangerous attack buried in there.
  
  --
  This posting is provided 'AS IS' without warranty of any kind, implied or otherwise.
17. Re:Is anyone surprised? by chew8bitsperbyte · 2014-02-25 02:22 · Score: 1
  
  That's only true if you haven't disabled password authentication. If you've limited to public/private key authentication only, you get nothing.
  
  Or more specifically you get: "Connection refused. Unable to connect to host" At that point, who cares what port number you're running on, unless someone's able to brute force your 4096-bit key, you're fine.
18. Re:Is anyone surprised? by Zero__Kelvin · 2014-02-25 03:45 · Score: 2
  
  Your assessment is quite innaccurate. Changing your port number is indeed a very good idea. The mistake one might make is in thinking that is all that is necessary. I would go so far as to say that if you don't change your port number because "it provides the illusion of security" when you know damn well it is only one of many measures one should take, then you are being very foolish. Just because removing low hanging fruit doesn't stop all the vermin, that is no reason to refuse to minimize the attack surface by changing port numbers.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
19. Re:Is anyone surprised? by Anonymous Coward · 2014-02-25 03:51 · Score: 1
  
  From Microsoft's own description of EMET: "These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform."
  Source: http://support.microsoft.com/kb/2458544
20. Re:Is anyone surprised? by Zero__Kelvin · 2014-02-25 03:52 · Score: 1
  
  "If you expose easily exploited stuff, you deserve to get owned."
  Please tell me you don't take money from anyone in exchange for computer security advice.
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
21. Re:Is anyone surprised? by KingMotley · 2014-02-25 05:47 · Score: 1
  
  I agree. Passwords are insecure, so I've compiled a custom version of linux that just asks your username and lets you in. Saves me from fielding all those pesky "I forgot my password" calls. Works great.
22. Re:Is anyone surprised? by cheater512 · 2014-02-25 06:25 · Score: 1
  
  Yes I do as a matter of fact.
  Please tell me what I'm doing wrong:
  - SSH keys where possible
  - Mandatory randomly generated passwords for the accounts that can't use SSH keys
  - Only HTTP, DNS and SSH are exposed via the hardware load balancer
  - Software is updated every 6 - 12 months, or when a specific threat is discovered.
  Oh no! I've got SSH on port 22. I'm going to get hacked now!!!!
23. Re:Is anyone surprised? by coolsnowmen · 2014-02-25 07:42 · Score: 1
  
  This is not true for me:
  sudo su - test
  [test@localhost ~]$ ssh coolsnowmen@localhost
  Permission denied (publickey).
  [test@localhost ~]$ telnet localhost 22
  Trying ::1...
  Connected to localhost.
  Escape character is '^]'.
  SSH-2.0-OpenSSH_6.2
24. Re:Is anyone surprised? by marsu_k · 2014-02-25 07:56 · Score: 1
  
  Even if I were to run Windows, which I don't, and would be inclined to run random programs from the net with admin privileges, which I certainly am not, and even if admittedly there are some situations where modifying the... file that shall not be named is beneficial, you have to admit the guy is desperately in need of medication. And many of those points are redundant.
25. Re:Is anyone surprised? by Zero__Kelvin · 2014-02-25 08:30 · Score: 1
  
  Please tell me what I'm doing wrong: ... Oh no! I've got SSH on port 22. I'm going to get hacked now!!!!
  You answered your own question. Now, nobody is saying that it is a critical mistake, or that you will get cracked (it's cracked, BTW), but you will get more cracking attempts. Since it is a very, very simple thing to use non-standard ports it is foolish not to reduce your attack surface. There is also something I didn't see you mention and one could argue that by not doing it on 2014 you are doing it wrong. I don't see any mention of Port Knocking in your post. Also, you didn't mention if you use a real OS or Windows PetriDisk(tm).
  
  --
  Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
26. Re:Is anyone surprised? by AlphaBro · 2014-02-25 15:16 · Score: 1
  
  Alright, so how is thas analogous to EMET? Where exactly is this "missing hinge"? You're talking out of your ass.
Can someone explain... by nuckfuts · 2014-02-24 15:10 · Score: 2, Insightful

Is this a general method for bypassing EMET protections, or is it only applicable to one specific IE exploit?
1. Re:Can someone explain... by hweimer · 2014-02-24 21:40 · Score: 3, Informative
  
  As far as I can see, they do not rely on a specific IE vulnerability for inserting the payload, but they rely on a specific (and fixed) Windows vulnerability to bypass ASLR, which is a crucial component of EMET. They claim in a footnote that the "IE flaw could be modified to leak the base address of a DLL in another way", but they do not provide a working exploit that does so.
  
  --
  OS Reviews: Free and Open Source Software
EMET was never meant as a cure all by bloodhawk · 2014-02-24 15:14 · Score: 4, Insightful

EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself.
This is very naughty. by Anonymous Coward · 2014-02-24 15:18 · Score: 1

These bit-twiddling desperadoes should be arrested at once!
Beta is a PAIN! by Anonymous Coward · 2014-02-24 15:19 · Score: 1, Informative

Pre beta I can read the complete (in most cases) text without leaving the main page. With Beta I have to queue the (perhaps interesting) readings in tabs and then review them (in order to avoid the back-and-forth). Bad UI, bad UX, bad design. Takes so much longer that I may just quit reading this site.
Re:Architecturally Insecure by Anonymous Coward · 2014-02-24 15:29 · Score: 1

Not so well disguised advertisement is not so well disguised.
Re:Architecturally Insecure by jacobsm · 2014-02-24 15:42 · Score: 1

I disagree. It's the direct descendant of S/360 and has about 50 years of steady product improvements built in. Malware, running with general user access rights cannot affect system processes in any way, and cannot alter(or read) any memory location that it doesn't have access to. The zSeries hardware, with the operating system is a powerful combination, that Windows and commodity hardware can't touch.
I'm a zOS Operating Systems Programmer with 35+ years experience, and while there have been published security and system integrity patches issued on occasion, Windows has it beat by a mile.
Re:Architecturally Insecure by TapeCutter · 2014-02-24 15:59 · Score: 3, Informative

You can't even get a Windows computer on the net without a virus scanner, it will be exploited before you can apply the latest patches.
Utter nonesense, when was the last time you installed windows? - 1998?

--
And did you exchange a walk on part in the war for a lead role in a cage? - Pink Floyd.
Slashdot summary more negative than article? by DTentilhao · 2014-02-24 17:08 · Score: 1

@bloodhawk: "EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself"

“The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection, .. This is true of EMET and other similar userland protections”
1. Re:Slashdot summary more negative than article? by Anonymous Coward · 2014-02-24 17:24 · Score: 1
  
  And? of course it doesn't offer lasting protection. It is a speed bump, that doesn't make it useless or a disaster that people have ways around it. Just like it is not a disaster that no OS is secure and they will always need security patches, it doesn't sudden mean you don't bother with security because you know it will be defeated.
re: Architecturally Insecure, Score:0, Troll .. by DTentilhao · 2014-02-24 17:11 · Score: 1

How dare you criticise MICROS~1 ..
Re:Architecturally Insecure by ratboy666 · 2014-02-24 18:14 · Score: 1

Why do you mention Linux? This sub-thread compared Windows against z/OS. The "market share" for z/OS as a general compute device is, of course, even less than Linux. However, z/OS is arguably much more secure than Windows.
Why is it that Windows criticism is taken as Linux support? Linux has its place (and I use it as my primary OS) but I certainly wouldn't claim it is secure. Windows should be secure, given that it is pre-installed on almost every consumer computing product.

--
Just another "Cubible(sic) Joe" 2 17 3061
Re:Architecturally Insecure by Eskarel · 2014-02-24 20:28 · Score: 2

And for a desktop, no one gives a crap.
Everything that matters to a user is sitting in folders that they can, by necessity, access. Your documents, your web browser session, and everything else that is even remotely important to you is available with no escalated privileges whatsoever. Yes they can't necessarily root your device,but to be honest, but unless you're actually running in a true multi user environment(which almost no desktop is), it's cold comfort that your PC works if you data is gone.
Re:Architecturally Insecure by Eskarel · 2014-02-24 20:31 · Score: 1

Because GP mentioned them, the overall subthread by be about z/os, but this particular branch was arguing that the "no one uses it" was BS because iOS and Linux servers are secure without AV.
Also with regards to changing SSH port by Sycraft-fu · 2014-02-24 21:22 · Score: 3, Insightful

That proves the opposite of what people think. It was for a very long time extremely effective. The auto scanning l33t hax0r tools out there only looked for port 22 for SSH. They didn't scan the system. If they didn't find it, they moved on. I saw massive differences in the number of failed logins for servers on 22 and servers not.
Now that has largely changed, but it worked real well for like a decade-ish. That is not worthless. No it wasn't the only layer of security, it wasn't an excuse to ignore everything, but it did a hell of a job reducing attack profile and costs -nothing-.
The problem is geeks seem to think if security isn't perfect, it is worthless, which is stupid because in the physical world there's no such thing, EVER, as perfect security and since all computers are in the end physical entities, the same actually applies to computer security. It is all layers, it is all protection against different levels of threats.
Turns out simple obscurity can be really useful at times. It doesn't make you safe by itself, but it can make a breakin that much harder, and thus less likely.
1. Re:Also with regards to changing SSH port by DarkOx · 2014-02-24 22:33 · Score: 1
  
  No geeks generally just look for Better way. Moving SSH to a nonstandard port makes it harder to use. There are better tools like IPtables rules which can limit the maximum number of connections from a given host to say five for minute, or whatever value is reasonable in your case. This way you don't remember to specify nonstandard port every time, but it's still completely effective in preventing brood force attacks. The stupid scanners will find you try five times then get no response assume the host is gone and move on.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Re: I want a cookie by _merlin · 2014-02-24 22:22 · Score: 1

Cookie Monster was a prank program that required the user to install and run it with their own permissions. It didn't attempt to reproduce, spread or conceal itself.
Re:Architecturally Insecure by RobertLTux · 2014-02-24 23:52 · Score: 1

or more to the point if you want a simple method to get a Windows computer patched and all the "fun" programs installed then you
1 on another computer download unpack and run WSUSOffline and build an update package
2 also visit ninite.com and grab a install loader for your "fun" programs (like firefox libreoffice and such)
3 do the initial setup on your computer and get to the desktop
4 run the WSUSOffline updater
5 run the ninite.com install loader
6 Profit!!

--
Any person using FTFY or editing my postings agrees to a US$50.00 charge
Idiomatic ramifications by mordejai · 2014-02-25 00:36 · Score: 1

So... EMET is SHEKER?
Re:Wait a second... by ledow · 2014-02-25 01:27 · Score: 1

Maybe you should read the paper they link in.
Basically, most of the security is incomplete or easily ignored / bypassed.
On a stock system, with EMET defaults enabled, there are certain critical things that aren't done (hooking an old API that marks memory as executable, etc.). Even if they could be done, the way I read through the paper suggests that there are SO MANY alternatives they could have used that it's going to be finger-in-the-dyke hole-blocking rather than a blanket fix.
A lot of the things they try to do (e.g. roll back to the caller of a function, disassemble the code and see if it came from a direct jump or a proper CALL, etc.) aren't done properly or are worthless (in this example, they just get the MS VC runtimes to do the call "properly" with data they control).
They seem to be able to run arbitrary code via their exploits and they don't pick out any one particular exploit. Most of their work is about punching holes AROUND EMET security, not crafting a one-off exploit, and pretty much they appear to succeed. Most of the things they use are merely small tweaks to existing XP exploits and things like that.
At many points they just say "Or you could do this in a million other ways". So it's not that they've found a one-off hole through these things that works 1/256th of the time by chance, they literally walk around all the checks and security by doing some quite simple things.
And, yes, they end up running calc.exe or whatever they want at the end of it, without EMET or any of the listed protections kicking up a fuss.
Re: Architecturally Insecure by mspohr · 2014-02-25 04:08 · Score: 1

1996 ;)

--
I don't read your sig. Why are you reading mine?
Re:Architecturally Insecure by mcgrew · 2014-02-25 05:44 · Score: 1

Oh, how the mighty slashdot has fallen, when a logged in slashdotter makes the insightful comment that Windows was never designed with security in mind. Although they did better with Vista and 7 than previous OSes it's still the most insecure OS I know of.
Yet he gets modded -1 troll for a factual comment. Do we have more shills than real users? Or are anti-MS comments being modded down by editors on orders of Dice because Microsoft is advertising here?
Either way, it saddens me.

--
Free Martian Whores!
experience by ynp7 · 2014-02-25 07:09 · Score: 1

Someone at Microsoft has a really creepy obsession with the word "Experience." Just stop already!