Using the Microsoft EMET security tool to hack itself

The security researchers at FireEye Abdulellah Alsaheel and Raghav Pande have found a way to exploit Microsoft EMET (Enhanced Mitigation Experience Toolkit) to hack itself.

The security researchers at FireEye security Abdulellah Alsaheel and Raghav Pande have found a way to exploit the Microsoft security tool Enhanced Mitigation Experience Toolkit to hack itself. The Enhanced Mitigation Experience Toolkit was introduced by Microsoft to raise the cost of exploit development, it cannot be considered a solution that is able to protect systems from any malicious exploit.

The experts elaborated a technique to disable the Microsoft Enhanced Mitigation Experience Toolkit using the tool itself.

The Enhanced Mitigation Experience Toolkit was designed to protect systems against attackers by identifying patterns of cyber attacks.

“EMET anticipates the most common actions and techniques adversaries might use in compromising a computer, and helps protect by diverting, terminating, blocking, and invalidating those actions and techniques. EMET helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software.” is the description provided by Microsoft for its tool.

The Enhanced Mitigation Experience Toolkit works by injecting anti-malware library in into applications in the attempt of early detect any suspicious activity by hooking process in execution and analyzing any calls in critical APIs .

“EMET injects emet.dll or emet64.dll (depending upon the architecture) into every protected process, which installs Windows API hooks (exported functions by DLLs such as kernel32.dll, ntdll.dll, and kernelbase.dll). These hooks provide EMET the ability to analyze any code calls in critical APIs and determine if they are legitimate. If code is deemed to be legitimate, EMET hooking code jumps back into the requested API. Otherwise it triggers an exception.” wrote the security duo.

The researchers focused their efforts in disabling the Enhanced Mitigation Experience Toolkit, this means that an attacker could include in his application the code that invokes a function within the tool that disable it.

The exit “feature” is implemented in the emet.dll for cleanly exiting from a process.

“However, there exists a portion of code within EMET that is responsible for unloading EMET. The code systematically disables EMET’s protections and returns the program to its previously unprotected state. One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

The unique problem for the researchers was to retrieve the base address of emet.dll to invoke the function to arrest it. The experts used the GetModuleHandleW function that is not hooked by the Microsoft Enhanced Mitigation Experience Toolkit to retrieve the address.

This is not the first time that security experts find a way to bypass the Enhanced Mitigation Experience Toolkit, but differently from the past, the technique proposed by the duo doesn’t rely on vulnerabilities or missing features.

“This new technique uses EMET to unload EMET protections. It is reliable and significantly easier than any previously published EMET disabling or bypassing technique. The entire technique fits within a short, straightforward ROP chain. It only needs to leak the base address of a DLL importing GetModuleHandleW (such as mshtml.dll), instead of full read capabilities over the process space. Since the DllMain function of emet.dll is exported, the bypass does not require hard-coded version-specific offsets, and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1).” explained the security duo. 

Pierluigi Paganini

(Security Affairs – Microsoft Enhanced Mitigation Experience Toolkit, Hacking)