Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Fun With Dr Brown

467 views

Published on

Cleveland BSides 2014 presentation on EMET.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Fun With Dr Brown

  1. 1. FunWith Dr. Brown Spencer McIntyre Cleveland B-Sides July 19th, 2014
  2. 2. Introduction • Who am I? • Spencer McIntyre • Security Researcher @SecureState • Metasploit Project Member • Why we’re here: • Introducing Dr. Emmett Brown • We’re going to talk about Microsoft’s EMET
  3. 3. EMET Overview • The Enhanced Mitigation ExperienceToolkit • Microsoft’s response for making unknown vulnerabilities more difficult to exploit • EMET does not “fix” vulnerabilities, it makes them difficult to exploit reliably • Crashes are easy but ain’t nobody got time for that • Latest versions right now 4.1 (Production) 5.0TP 2 (Technical Preview)
  4. 4. How Does EMET Make Exploitation Difficult? • Protections are divided into 3 categories (Memory, ROP, & Other) • Key protections: • DEP • MandatoryASLR • NullPage • StackPivot • Export Address Filtering (EAF) • 7 Others in EMET 4.1
  5. 5. Application Configuration • Consult the EMET User’s Guide for details
  6. 6. DEP & ASLR • Every application should use DEP & ASLR • Can be configured by both the OS (with or without EMET) or by applications • Almost allWindows native modules are ASLRed since Windows 7+ • Have to be careful about third party applications
  7. 7. Brief History of BypassTechniques • ASLR and DEP bypass techniques are not EMET specific • Predate EMET • “Jump” over hooks • Can make the exploit become Windows version specific • November 17th, 2010 SkyLined posts a whitepaper on “Bypassing Export address table Address Filter (EAF)” targeting EMET 2.0
  8. 8. EMET Start Up • EMET.dll is loaded into the protected process • Even when no protections are enabled • The EMET.dll loads the configuration from the registry • EMET Configuration is copied to RW segment • Can be changed at run time by the application • First noticed in EMET version 4.0
  9. 9. Picking AVulnerability • Desirable Qualities • Large amount of payload space (>750 bytes) • No bad characters • Non-ASLRed executable module (at least, DLLs are a bonus) • CVE-2013-2492 • Stack Base Buffer Overflow in Firebird Database • Meets all requirements • Remotely exploitable for SYSTEM shell with default configuration
  10. 10. What ProtectionsWork? • Protections target specific vulnerabilities • Not all protections are always applicable (Example: Null Page) • Protections forCVE-2013-2492 (DEP & ASLR are already bypassed via ROP) • Caller • EAF • Deep Hooks • Banned Functions
  11. 11. What AreWe GoingTo Do?
  12. 12. PatchThe ActionVia ROP • EMET is ASLRed • GetModuleHandleA() is not a protected function • ROP chain resolves the EMET base address dynamically • Change offset from EMET base address to change the configuration • Two locations for completely disabling • &EMET+0x0079074 (EMET 4.0 & 4.1) • &EMET+0x007e07c (EMET 4.0 & 4.1)
  13. 13. ConfigurationValue References
  14. 14. EMET Disabling ROP Chain • 19 Gadget EMET Disabling ROP Chain • Main steps are: 1. Reslove EMET base address via GetModuleHandleA or similar 2. Calculate offset via constants 3. Modify the values of the offsets
  15. 15. The Result • After patched, trigger all the protections! • No shellcode modification necessary • Metasploit payloads can be used • Energy required to exploit? • Less than 1.21 gigawatts
  16. 16. DemoTime
  17. 17. EMET 5.0Tech Preview 1 VULNERABLE
  18. 18. EMET 5.0Tech Preview 1 • Still vulnerable • Encoded Pointer is Optional • What do we do? Disable it!
  19. 19. EMET 5.0Tech Preview 2 Fixed
  20. 20. EMET 5.0TP2 Fix • Configuration no longer stored in .data • Stored in space allocated at run time • Pointer to configuration is stored in .data • Protected with EncodePointer/DecodePointer • Permissions are set to Read Only • Resolving EncoderPointer via ROP would pose a risk • Existence in IAT of nonASLRed module • Overwrite configuration location as in 5.0TP1 bypass
  21. 21. ClosingThoughts • Main executables (.exe’s) without ASLR are bad • Really bad, not even EMET can fix that • EMET’s Deep Hooks is a great setting • Metasploit’s PrependMigrate is also a great setting • When the going gets tough execute a Powershell command • This technique is not a silver bullet • The vulnerability and affected software needs to meet some criteria
  22. 22. Timeline • October 27, 2009: Initial release of EMET 1.0.2 (then Enhanced Mitigation Evaluation Toolkit) • June 17, 2013: EMET 4.0 released • October 28, 2013: SecureState notifies Microsoft's Security ResponseTeam of the flaw in EMET 4.0. Microsoft responds requesting technical details • October 29, 2013: SecureState provides Microsoft's Security ResponseTeam with technical details for the bypass • November 5, 2013: Microsoft acknowledges technical details from SecureState • November 12, 2013: EMET 4.1 released (still vulnerable to the bypass) • November 15, 2013: Microsoft's EMET team contacts SecureState to discuss the bypass • February 25, 2014: EMET 5.0Technical Preview released, SecureState credited for collaboration • April 30, 2014: EMET 4.1 Update 1 and EMET 5.0Technical Preview 2 released • SecureState's bypass is patched in EMET 5Tech Preview 2. • July 1st, 2014: Offensive Security posts a blog “Disarming Enhanced Mitigation Experience Toolkit (EMET)”Outlining this vulnerability
  23. 23. Questions?
  24. 24. References • Skypher: http://www.exploit-db.com/wp- content/themes/exploit/docs/15579.pdf • 0xdabbad00: http://0xdabbad00.com/wp- content/uploads/2013/11/emet_4_1_uncovered.pdf • Exodus Intel: https://www.exodusintel.com/files/Aaron_Portnoy- Bypassing_All_Of_The_Things.pdf • Offensive Security Blog: http://www.offensive- security.com/vulndev/disarming-enhanced-mitigation-experience-toolkit- emet/ • http://bromiumlabs.files.wordpress.com/2014/02/bypassing-emet-4-1.pdf
  25. 25. Thanks ForYourTime • Thanks to Jake Garlie for Research Assistance • Spencer McIntyre • @zeroSteiner

×