Online_Sword

New Member
Verified
Trusted
Since the DllMain function of emet.dll is exported, the bypass does not require hard-coded version-specific offsets, and the technique works for all tested versions of EMET (4.1, 5.1, 5.2, 5.2.0.1).
So it also works for EMET 5.5 ... or not?
 
  • Like
Reactions: venustus and Rishi

Rishi

Level 19
Verified
Trusted
If an attacker can bypass EMET with significantly less work, then it defeats EMET’s purpose of increasing the cost of exploit development. We present such a technique in the section New Technique to Disable EMET. Microsoft has issued a patch to address this issue in EMET 5.5.
It says Emet 5.5 is patched, the exploit procedure has been published on version 5.2 but knowing it is MS, anything is possible.
 

Solarquest

Level 33
Verified
Staff member
Malware Hunter
EMET knocks out EMET. And the winner is ... nobody. Except Linux advocates

24 Feb 2016 at 07:38, Darren Pauli

FireEye security wonks Abdulellah Alsaheel and Raghav Pande have twisted the barrels of Microsoft's lauded EMET Windows defence gun 180 degrees and fired.

The result of their research is p0wnage of the enhanced mitigation toolkit so that instead of defending Windows it attacks it.

The attacks the pair found affect older versions of Windows which rely on EMET for modern defences like address space layout randomisation and data execution prevention.

Windows 10 already has much of EMET's payload baked in save for some newly-added features in the latest version 5.5, which is also patched against Alsaheel's and Pande's hack.

The duo say their research targets an area of EMET code that unloads the software.

"The code systematically disables EMET’s protections and returns the program to its previously unprotected state," the pair says.

"One simply needs to locate and call this function to completely disable EMET.

"Jumping to this function results in subsequent calls, which remove EMET’s installed hooks."

Various historical EMET bypasses have focused on exploiting missing features and implementation flaws.

By contrast, Alsaheel's and Pande's hack turns EMET's protections, all while fitting into a short basic return-oriented programming chain.

"This new technique uses EMET to unload EMET protections," they say. "It is reliable and significantly easier than any previously published EMET disabling or bypassing technique." ®


...better to update to latest 5.5....:)
 

frogboy

Level 75
Verified
Trusted
A hacking team has used Microsoft’s EMET security tool to turn the crosshairs on … well, EMET. This means Redmond’s own software has been used to shoot itself in the foot.


While testing for loopholes, security company FireEye found a way to disable the Microsoft’s Enhanced Mitigation Experience Toolkit, and the team achieved it by only using EMET.

Microsoft EMET is designed to locate and trap malicious behavior by placing anti-malware protocols into applications.
Abdulellah Alsaheel and Raghav Pande of FireEye turned the toolkit 180 degrees on itself to target EMET code that turns off the EMET feature.

If a hacker was to follow the code application, it would be possible to shut down the toolkit from within the service, meaning apps would not be protected.

The code systematically disables EMET’s protections and returns the program to its previously unprotected state,” the pair says.

One simply needs to locate and call this function to completely disable EMET. Jumping to this function results in subsequent calls, which remove EMET’s installed hooks.”

The exploit only affects 5.0, 5.1, and 5.2 of the Enhanced Mitigation Experience Toolkit, so those using Windows 10 are fine. Microsoft’s latest platform has EMET baked in directly to apps and the latest version 5.5, released on February 2nd, fixes the breach.

Full Article. Microsoft Security Tool EMET Hacked By EMET - WinBuzzer
 

jamescv7

Level 61
Verified
Trusted
Honestly that's the clever one, because its only knows that their product itself are not safe against on those possible synthetic test.

Remember that in order to protect something, then make sure you are immune at all. ;)