Microsoft security technology used to disable itself

Researchers have discovered a vulnerability in Microsoft's EMET security tool that can be used against itself to shut it down.

EMET manipulated to pwn itself
EMET manipulated to pwn itself

Microsoft's Enhanced Mitigation Experience Toolkit (EMET) is a free security tool that provides Windows and applications with an extra layer of security. It should make it difficult for hackers to attack both known and unknown vulnerabilities in the operating system, installed programs or plug-ins. 

But FireEye discovered a flaw in the technology that allows it to be used against itself and shut it down, leaving systems more vulnerable. EMET can be used to inject emet.dll or emet64.dll (depending upon the architecture) into every protected process, which installs Windows API hooks (exported functions by DLLs such as kernel32.dll, ntdll.dll, and kernelbase.dll). 

These hooks provide EMET the ability to analyse any code calls in critical APIs and determine if they are legitimate. If code is deemed to be legitimate, EMET hooking code jumps back into the requested API. Otherwise it triggers an exception, according to FireEye.

But the problem lies in a portion of code within EMET that is responsible for unloading EMET. The code systematically disables EMET's protections and returns the program to its previously unprotected state.

“One simply needs to locate and call this function to completely disable EMET. In EMET.dll v5.2.0.1, this function is located at offset 0x65813. Jumping to this function results in subsequent calls, which remove EMET's installed hooks,” said researchers Abdulellah Alsaheel and Raghav Pande in a blog post.

They said the feature exists because emet.dll contains code for cleanly exiting from a process. Conveniently, it is reachable from DllMain.

"This new technique uses EMET to unload EMET protections," they said. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique."

“If an attacker can bypass EMET with significantly less work, then it defeats EMET's purpose of increasing the cost of exploit development.”

Microsoft has since issued a patch to address this issue in EMET 5.5.

Fraser Kyne, principal systems engineer at Bromium, told SCMagazineUK.com that what is surprising about the news is that we're still debating the tools we use to deal with the symptoms of a disease, rather than trying to tackle the disease itself. “All software running within an OS that tries to protect the OS itself is fundamentally flawed,“ he said.

“So what do you do? You have to move to a more secure model, using hardware for security. Microsoft themselves recognise this limitation – hence their introduction of tools in Windows 10 like device guard and credential guard, which add hardware-backed security elements based on virtualisation isolation,” Kyne said.

Gavin Millard, EMEA technical director of Tenable Network Security, told SC that security tools should be bug free and impossible to bypass but flaws and approaches to bypass can be found. “Finding and addressing these issues before they are discovered by a less ethical group is important, though, and should be supported,” he said.

"It's critically important that the fixes produced to address the flaws are deployed in customers' environment in a timely manner, otherwise it could be leveraged by an attacker to install malware or a backdoor."