Using EMET to Disable EMET

[hjlbx]

Using EMET to disable EMET (FireEye):

Using EMET to Disable EMET « Threat Research

That's just how it goes sometimes - for any security soft.

At least is was discovered by security soft vendor who will report issue to Microsoft.

Whether or not Microsoft will fix the vulnerability is an entirely different matter.

 

[Rishi]

This isn't surprising - the vulnerability mitigation software has a vulnerability itself. Hopefully MS will patch it soon.Again, no software is perfect, but user sure can make it harder for anyone trying to exploit the existing loopholes.

 

[Deleted Member 333v73x]

This is like the third or fourth vulnerability which hasn't been fixed, I may just go back to MBAE Premium

 

[frogboy]

I have already gone back to MBAE i just feel more comfortable with it at this time.

 

[Online_Sword]

Since the DllMain function of emet.dll is exported, the bypass does not require hard-coded version-specific offsets, and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1).

So it also works for EMET 5.5 ... or not?

 

[Rishi]

If an attacker can bypass EMET with significantly less work, then it defeats EMET’s purpose of increasing the cost of exploit development. We present such a technique in the section New Technique to Disable EMET. Microsoft has issued a patch to address this issue in EMET 5.5.

It says Emet 5.5 is patched, the exploit procedure has been published on version 5.2 but knowing it is MS, anything is possible.

 

[Solarquest]

EMET knocks out EMET. And the winner is ... nobody. Except Linux advocates

24 Feb 2016 at 07:38, Darren Pauli

FireEye security wonks Abdulellah Alsaheel and Raghav Pande have twisted the barrels of Microsoft's lauded EMET Windows defence gun 180 degrees and fired.

The result of their research is p0wnage of the enhanced mitigation toolkit so that instead of defending Windows it attacks it.

The attacks the pair found affect older versions of Windows which rely on EMET for modern defences like address space layout randomisation and data execution prevention.

Windows 10 already has much of EMET's payload baked in save for some newly-added features in the latest version 5.5, which is also patched against Alsaheel's and Pande's hack.

The duo say their research targets an area of EMET code that unloads the software.

"The code systematically disables EMET’s protections and returns the program to its previously unprotected state," the pair says.

"One simply needs to locate and call this function to completely disable EMET.

"Jumping to this function results in subsequent calls, which remove EMET’s installed hooks."

Various historical EMET bypasses have focused on exploiting missing features and implementation flaws.

By contrast, Alsaheel's and Pande's hack turns EMET's protections, all while fitting into a short basic return-oriented programming chain.

"This new technique uses EMET to unload EMET protections," they say. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique." ®


...better to update to latest 5.5....

 

[frogboy]

A hacking team has used Microsoft’s EMET security tool to turn the crosshairs on … well, EMET. This means Redmond’s own software has been used to shoot itself in the foot.


While testing for loopholes, security company FireEye found a way to disable the Microsoft’s Enhanced Mitigation Experience Toolkit, and the team achieved it by only using EMET.

Microsoft EMET is designed to locate and trap malicious behavior by placing anti-malware protocols into applications.
Abdulellah Alsaheel and Raghav Pande of FireEye turned the toolkit 180 degrees on itself to target EMET code that turns off the EMET feature.

If a hacker was to follow the code application, it would be possible to shut down the toolkit from within the service, meaning apps would not be protected.

“The code systematically disables EMET’s protections and returns the program to its previously unprotected state,” the pair says.

“One simply needs to locate and call this function to completely disable EMET. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

The exploit only affects 5.0, 5.1, and 5.2 of the Enhanced Mitigation Experience Toolkit, so those using Windows 10 are fine. Microsoft’s latest platform has EMET baked in directly to apps and the latest version 5.5, released on February 2nd, fixes the breach.

Full Article. Microsoft Security Tool EMET Hacked By EMET - WinBuzzer

 

[tonibalas]

This another proof that security products should first of all protect themselves

 

[frogboy]

This another proof that security products should first of all protect themselves

That is a very good point.

 

[jamescv7]

Honestly that's the clever one, because its only knows that their product itself are not safe against on those possible synthetic test.

Remember that in order to protect something, then make sure you are immune at all.

 

[Ink]

Mod Edit: Threads created by @Solarquest and @frogboy merged with existing topic by @hjlbx.

Find out more about Microsoft EMET:

https://support.microsoft.com/en-gb/kb/2458544
Enhanced Mitigation Experience Toolkit - EMET - TechNet Security
Download Enhanced Mitigation Experience Toolkit (EMET) 5.5 from Official Microsoft Download Center

 

[Dirk41]

Yeah they say it is fixed
Attackers can turn Microsoft's exploit defense tool EMET against itself

Update to latest version