Design Weakness in Microsoft CFG Allows Complete Bypass (500 Million windows systems affected)

LASER_oneXM

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Researchers from Italy's University of Padua will demo a new technique to evade Control Flow Guard, the widely deployed security mechanism, at Black Hat Asia.

A widely deployed security mechanism in Windows that is designed to prevent attackers from exploiting memory corruption errors can be completely bypassed because of a fundamental design weakness, according to researchers from the University of Padua, in Italy.

In a talk at the upcoming Black Hat Asia conference in Singapore later this month, the researchers plan to show how attackers can exploit the design weakness to execute code of their choice running in the application's context.
Click to expand...

The design flaw exists in Control Flow Guard (CFG), a mechanism that Microsoft has implemented in all Windows operating systems from Windows 8.1 to the latest version of Windows 10. CFG, like Microsoft's Address Space Randomization Layer (ASLR), is one of several countermeasures that have been deployed in recent years to protect against exploits targeting memory corruption vulnerabilities in software. More than 500 million Windows systems have the feature currently.
Click to expand...

As the researchers from the University of Padua explain in a technical paper describing their exploit, CFG is designed to prevent attackers from hijacking a program's control flow and directing it toward their own malicious code. The mechanism works by ensuring the order in which a program executes functions — or its control flow — follows specific valid paths.

CFG restricts indirect calls or jumps — for example, via function pointers — to an "allowed" target set determined at compile time, says Andrea Biondo, a computer science student at the University of Padua. "So, an attacker can't just hijack execution to arbitrary locations."
Click to expand...

BATE just bypasses CFG completely, so an attacker can then apply more common and easier code-reuse techniques for the payload. Previous bypasses were more application-specific, while BATE requires only certain common libraries to be loaded by the victim process. "On 32-bit, basically everything is exploitable because the C runtime library is exposed to BATE," Biondo says.


"To the best of our knowledge, Microsoft is going to fix this in the RS4 Windows update," he adds.
Click to expand...
 
  • Like
Reactions: ZeroDay, upnorth, harlan4096 and 1 other person
You must log in or register to reply here.

Similar threads

silversurfer
    • Like
    • +Reputation
    • Wow
Security News New Spectre-Style 'Pathfinder' Attack Targets Intel CPU, Leak Encryption Keys and Data
Replies
4
Views
2,528
Security News
nicolaasjan
nicolaasjan
Gandalf_The_Grey
    • Like
    • +Reputation
Security News New ARM 'TIKTAG' attack impacts Google Chrome, Linux systems
Replies
3
Views
4,301
Security News
Brahman
Brahman
Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
Security News Dismantling Smart App Control
Replies
5
Views
2,547
Security News
oldschool
oldschool

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top