Two weeks after Microsoft released a free utility designed to help its software better withstand a powerful hacking technique, a security researcher has demonstrated an exploit that bypasses the newfangled protection.
Microsoft released a new version of its Enhanced Mitigation Experience Tool on July 24 to great fanfare. The update to EMET, which adds an extra layer of defense to prevent vulnerabilities from being successfully exploited, introduced protections designed to block an advanced attack technique known as return oriented programming. A regular staple in exploits at the annual Pwn2Own hacker contest, ROP works by rearranging benign pieces of code already present in memory to form a malicious payload. The new protection, known as ROPGuard and developed by University of Zagreb researcher Ivan Fratric, fetched a $50,000 prize under a security contest Microsoft sponsored.
On Thursday, a security researcher whose Twitter profile claims he's based in Iran said he had bypassed the ROPGuard protections. A video demonstration accompanying his blog post showed a Windows 7 machine falling prey to a ROP-induced exploit even though the OS was running version 3.5 of EMET. The anti-ROP mitigations work by wrapping certain important system functions with extra code to verify that they're not being called by attack code. Based on a brief technical description, the attack circumvents this protection by calling the system function directly, thereby bypassing the protective wrapper.
The technique is one that attackers have been using for a few years to bypass protections known as data execution prevention and address space layout randomization, which Microsoft introduced with Windows Vista. Using the system call known as NtProtectVirtualMemory, the researcher was able to circumvent the anti-ROP mitigations as well.
The technique, however, comes at a significant cost to those writing software exploits. Namely, system call numbers change from version to version of Windows, requiring a different exploit for each one (although the syscall variation is much more pronounced in 32-bit releases than 64-bit releases). Considering the six-figure price for reliable attacks that exploit unknown vulnerabilities in Windows, the reduced number of machines that any one exploit can commandeer may be enough to discourage criminal hackers from bothering.
"The $250,000 prize [there were two other prizes awarded] is likely a low cost for Microsoft when they take into account the full cost of a reliable exploit in the wild," HD Moore, an expert in software exploitation and CSO of Rapid7, told Ars. "If EMET stops a single widespread attack from occurring, it would pay for itself back in multiples."
Yunsun Wee, director, Microsoft Trustworthy Computing, made much the same point in a statement released to Ars. "The security mitigation technologies implemented by EMET increase the cost for attackers to develop a successful exploit," she wrote.
Fratric's ROPGuard contribution took second place in Microsoft's "Bluehat" contest, which awarded $260,000 worth of prizes for security mitigations. All three of the winning entries focused on ways to reduce the effectiveness of ROP attacks.
The episode is a graphic example of the active and protracted arms race carried out by software exploiters and those hired to repel them. The discovery of a new attack technique may give hackers the upper hand for a brief period of time, until developers figure out a way to blunt it. To do this, the developers come up with defenses like security sandboxes and the aforementioned ASLR and DEP. Then attackers develop new weapons such as heap spraying to get around them. ROP, in fact, is a technique for bypassing DEP, which prevents data loaded into memory from being executed.
Stay tuned. This story isn't over yet.
Listing image by Microsoft.com
reader comments
32