Forgot your password?
typodupeerror
Windows Bug Security

Complete Microsoft EMET Bypass Developed 116

Posted by Unknown Lamer
from the just-a-teeny-tiny-bug dept.
msm1267 writes "Researchers at Bromium Labs are expected to announce today they have developed an exploit that bypasses all of the mitigations in Microsoft's Enhanced Mitigation Experience Toolkit (EMET). Principal security researcher Jared DeMott is delivered a presentation at the Security BSides conference explaining how the company's researchers were able to bypass all of the memory protections offered within the free Windows toolkit. The work is significant given that Microsoft has been quick to urge customers to install and run EMET as a temporary mitigation against zero-day exploits targeting memory vulnerabilities in Windows or Internet Explorer. The exploit bypasses all of EMET's mitigations, unlike previous bypasses that were able to beat only certain aspects of the tool. Researchers took a real-world IE exploit and tweaked it until they had a complete bypass of EMET's ROP, heap spray, SEHOP, ASLR, and DEP mitigations."
This discussion has been archived. No new comments can be posted.

Complete Microsoft EMET Bypass Developed

Comments Filter:
  • Is anyone surprised? (Score:5, Interesting)

    by Anonymous Coward on Monday February 24, 2014 @11:07PM (#46330843)

    EMET is just a bunch of industry-standard mitigations (e.g. the kind of thing you get on Linux with grsecurity) - and several of them poorly implemented at that. They're mitigations - they make exploits harder, not impossible.

    If you rely on EMET for security, you're doing it wrong. Stuff like EMET is just a speed bump. It's good to have, it should be enabled by default, and we should stop treating it like some magic "security on" switch.

    • Yep, just one more step in a never ending arms race.
    • by Anonymous Coward

      The same could be said for Linux (grsecurity being a patcheset against vanilla Linux). OpenBSD enables these measures by default, which shook out tons of bugs in ports/ software. They're just good measures, period, but obviously not a panacea.

    • by cheater512 (783349) <nick@nickstallman.net> on Tuesday February 25, 2014 @12:15AM (#46331255) Homepage

      I disagree. It is like changing the SSH port.

      It gives the *illusion* of security, which makes people slack.
      E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.

      I avoid smoke and mirrors security as much as possible.

      • by Anonymous Coward
        So it is just like using HOSTS files yet another illusion of security promoted by idiots.
        • by noh8rz10 (2716597)

          HOSTS are the key to everything! $10,000 challenge!

        • by marsu_k (701360) on Tuesday February 25, 2014 @06:35AM (#46332449)
          Shhhh, quiet, you'll summon APK. I've heard if you say "HOSTS file" in front of a mirror three times he'll appear in person.
      • by Tanktalus (794810) on Tuesday February 25, 2014 @12:23AM (#46331301) Journal

        So, you don't use a club on your steering wheel, you don't bother hiding valuables in your trunk, leaving them in plain view, and, really, since a professional can get in the car anyway, just leave the doors unlocked. It's all smoke and mirrors anyway.

        If a malicious attacker/user is portscanning your system and finds that port 22 is open, they're going to assume an ssh attack. If they find port 1234, they may move on to another target that has port 22 open instead. Of course, if they're really after you, and not just throwing a wide net, then such shenanigans aren't going to stop them, though it might slow them down for a little while while they try to figure out what's listening on which non-standard port.

        If a script kiddie is doing the same, most likely port 1234 would be enough to fool them, and they'd never get in.

        Seems like smoke and mirrors are a useful tool in a secure system's administration, but should never be the sole tool.

        • by ichthus (72442)
          Exactly. It's like burying the spare key in your garden, as opposed to putting it under the door mat. It's security through obscurity, but it IS effective.
          • by Anonymous Coward

            Changing the SSH port is effective in reducing the number of entries in your log files. It's not effective in increasing your security. I do find the log file thing a great enough benefit to go ahead and do this.

            • Changing the SSH port is effective in reducing the number of entries in your log files. It's not effective in increasing your security. I do find the log file thing a great enough benefit to go ahead and do this.

              It removes your system from being the low-hanging fruit on the bottom branch, to something harder to reach from the ground. That it also lessens the amount of entries in the log files is a nice bonus. Instead of being attacked a few hundred times per day on the standard port, now you're only be
              • Not to mention log files with less noise are more likely to be monitored and have an effective response in place for incidents. A noisy log file full of Internet-wide scripted attacks will likely be ignored even if there is a more dangerous attack buried in there.
        • by cheater512 (783349) <nick@nickstallman.net> on Tuesday February 25, 2014 @01:40AM (#46331669) Homepage

          Erm you do know that SSH broadcasts it's presence as soon as you connect right?

          Try "telnet server.com 22" and you'll see how nice and obvious it is that you've found a SSH server.
          You'll get a nice banner like "SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1"

          The moment the port scan finds it, they know it is SSH.

          • by Anonymous Coward
            The point is someone has to do a full port scan. check most of the worms and exploit kits out there, they don't both with a port scan as they know exactly what port 99.99% of web servers run on and what 99% of SSH and RDP servers run on. The most likely victims are ones that use default configs and default configs also mean default ports, why spend precious cycles port scanning when there are 10,000 other soft targets you could have scanned in that time.
          • That's only true if you haven't disabled password authentication. If you've limited to public/private key authentication only, you get nothing.

            Or more specifically you get: "Connection refused. Unable to connect to host" At that point, who cares what port number you're running on, unless someone's able to brute force your 4096-bit key, you're fine.
            • This is not true for me:

              sudo su - test
              [test@localhost ~]$ ssh coolsnowmen@localhost
              Permission denied (publickey).
              [test@localhost ~]$ telnet localhost 22
              Trying ::1...
              Connected to localhost.
              Escape character is '^]'.
              SSH-2.0-OpenSSH_6.2

        • by Sycraft-fu (314770) on Tuesday February 25, 2014 @05:22AM (#46332297)

          That proves the opposite of what people think. It was for a very long time extremely effective. The auto scanning l33t hax0r tools out there only looked for port 22 for SSH. They didn't scan the system. If they didn't find it, they moved on. I saw massive differences in the number of failed logins for servers on 22 and servers not.

          Now that has largely changed, but it worked real well for like a decade-ish. That is not worthless. No it wasn't the only layer of security, it wasn't an excuse to ignore everything, but it did a hell of a job reducing attack profile and costs -nothing-.

          The problem is geeks seem to think if security isn't perfect, it is worthless, which is stupid because in the physical world there's no such thing, EVER, as perfect security and since all computers are in the end physical entities, the same actually applies to computer security. It is all layers, it is all protection against different levels of threats.

          Turns out simple obscurity can be really useful at times. It doesn't make you safe by itself, but it can make a breakin that much harder, and thus less likely.

          • by DarkOx (621550)

            No geeks generally just look for Better way. Moving SSH to a nonstandard port makes it harder to use. There are better tools like IPtables rules which can limit the maximum number of connections from a given host to say five for minute, or whatever value is reasonable in your case. This way you don't remember to specify nonstandard port every time, but it's still completely effective in preventing brood force attacks. The stupid scanners will find you try five times then get no response assume the host

      • by Anonymous Coward on Tuesday February 25, 2014 @01:06AM (#46331495)

        I disagree. It is like changing the SSH port.

        It gives the *illusion* of security, which makes people slack. E.g. My SSH password is 123456 but don't worry its ok! I changed the SSH port to 1234 so I'm safe.

        I avoid smoke and mirrors security as much as possible.

        more fool you. smoke and mirrors despite its negative security connotations is actually an invaluable security mechanism that is denigrated by those that don't know better. Something as simple as a port change while providing no real security improvement does immediately negate a whole heap of script kiddies and automated tools that instantly pop up when a new exploit is discovered, yes it offers nothing against a targeted attack, but most attacks are NOT specifically targeted, they hunt for easy victims on known common configurations. Every tool that reduces even the most basic of attacks SHOULD be something you value in your arsenal.

        • If you expose easily exploited stuff, you deserve to get owned.

          They try stuff like username 'admin' password '123456'. If that is a issue for your server you are an idiot.
          If you say use SSH keys then you don't have to give the script kiddies and automated attacks a second thought - they will *never* get in.

          • "If you expose easily exploited stuff, you deserve to get owned."

            Please tell me you don't take money from anyone in exchange for computer security advice.

            • Yes I do as a matter of fact.

              Please tell me what I'm doing wrong:
              - SSH keys where possible
              - Mandatory randomly generated passwords for the accounts that can't use SSH keys
              - Only HTTP, DNS and SSH are exposed via the hardware load balancer
              - Software is updated every 6 - 12 months, or when a specific threat is discovered.

              Oh no! I've got SSH on port 22. I'm going to get hacked now!!!!

              • Please tell me what I'm doing wrong: ... Oh no! I've got SSH on port 22. I'm going to get hacked now!!!!

                You answered your own question. Now, nobody is saying that it is a critical mistake, or that you will get cracked (it's cracked, BTW), but you will get more cracking attempts. Since it is a very, very simple thing to use non-standard ports it is foolish not to reduce your attack surface. There is also something I didn't see you mention and one could argue that by not doing it on 2014 you are doing it w

      • Your assessment is quite innaccurate. Changing your port number is indeed a very good idea. The mistake one might make is in thinking that is all that is necessary. I would go so far as to say that if you don't change your port number because "it provides the illusion of security" when you know damn well it is only one of many measures one should take, then you are being very foolish. Just because removing low hanging fruit doesn't stop all the vermin, that is no reason to refuse to minimize the attack
      • I agree. Passwords are insecure, so I've compiled a custom version of linux that just asks your username and lets you in. Saves me from fielding all those pesky "I forgot my password" calls. Works great.

    • by gweihir (88907)

      EMET is a dirty hack to fix a host of real problems. It is not surprising it does not really work. The only approach that works is not to have those easily exploited vulnerabilities in the first place. That requires developers with a strong security mind-set and a very conservative attitude towards new features. Microsoft lacks both.

    • by Anonymous Coward

      From Microsoft's own description of EMET: "These security mitigation technologies do not guarantee that vulnerabilities cannot be exploited. However, they work to make exploitation as difficult as possible to perform."

      Source: http://support.microsoft.com/kb/2458544

  • by nuckfuts (690967) on Monday February 24, 2014 @11:10PM (#46330863)
    Is this a general method for bypassing EMET protections, or is it only applicable to one specific IE exploit?
  • by bloodhawk (813939) on Monday February 24, 2014 @11:14PM (#46330913)
    EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself.
    • @bloodhawk: "EMET is not a cure all, nor is it pushed as one. EMET is about standard best practises to mitigate many exploits (not all) and is still an excellent toolkit for what it offers, that doesn't mean you should rely on only it. And as usual the Slashdot summary comes across as far more negative than the actual article itself"

      The impact of this study shows that technologies that operate on the same plane of execution as potentially malicious code, offer little lasting protection, .. This is
      • by Anonymous Coward
        And? of course it doesn't offer lasting protection. It is a speed bump, that doesn't make it useless or a disaster that people have ways around it. Just like it is not a disaster that no OS is secure and they will always need security patches, it doesn't sudden mean you don't bother with security because you know it will be defeated.
  • by Anonymous Coward

    These bit-twiddling desperadoes should be arrested at once!

  • Beta is a PAIN! (Score:1, Informative)

    by Anonymous Coward

    Pre beta I can read the complete (in most cases) text without leaving the main page. With Beta I have to queue the (perhaps interesting) readings in tabs and then review them (in order to avoid the back-and-forth). Bad UI, bad UX, bad design. Takes so much longer that I may just quit reading this site.

  • So... EMET is SHEKER?

  • Someone at Microsoft has a really creepy obsession with the word "Experience." Just stop already!

Any sufficiently advanced technology is indistinguishable from a rigged demo. - Andy Finkel, computer guy

Working...