The Limitations of EMET on WoW64
Today, the Duo Labs team is publishing a research paper on the limitations of Microsoft’s Enhanced Mitigation Experience Toolkit (EMET) when applied to processes running under WoW64. Time and time again, the costs and risks associated with new technology adoption drive the software industry to provide backward compatibility layers that aim to ease the transition but instead become sacred, ingrained features.
Often times, these features obfuscate the behavior of and stifle the effectiveness of various security components as is exemplified by this paper. In my opinion it is only when backward compatibility gets taken off the table can evolutionary leaps in our security models be made. The perfect example of this is the contrast of the out-of-the-box security posture of ARM and x86 editions of Windows.
There is some historical precedent with the WoW64 subsystem reducing the effectiveness of exploit mitigations, and AV products, so we decided to take a look at the effectiveness of EMET under the same conditions.
Maintaining older code is fairly important for large vendors with large amounts of users, but securing a code base that architecturally stretches across a decade or two is a challenge. For someone like Microsoft which maintains an operating system and numerous applications that run on said operating system, trying to take advantage of security technologies such as Enhanced Mitigation Experience Toolkit (EMET), will lead to some scenarios where some things fall between the cracks.
Understanding the effectiveness of EMET exploit mitigations under this environment is important to deploying them in the most effective manner and qualifying its overall effectiveness to prevent software exploitation in today’s age.
Given that web browser exploitation continues to be one of the most common avenues for attackers to gain access to systems, we decided to take a look at some real-world data about the prevalence of 32-bit, 64-bit and WoW64 browser usage. Based on a week-long sample of browser authentication data for unique Windows systems, we observed that:
- Eighty percent of browsers were 32-bit processes executing on a 64-bit host (WoW64).
- Sixteen percent were 32-bit processes executing on a 32-bit host.
- The remaining 4% were true 64-bit processes.
As you can see, based on this data, WoW64 is the most popular execution environment for Windows browsers. While much of public vulnerability research focuses on pure 32-bit app exploitation, the fact is, a significant portion of 32-bit software is now running on 64-bit operating systems.
The original idea for this work came to us in the summer of 2013 while attending the REcon conference. After watching Elias Bachaalany’s “Inside EMET 4.0” presentation, we thought we had identified a seemingly obvious limitation to EMET’s effectiveness and decided to investigate. We developed a simple proof of concept which demonstrated the limitation and moved on to other things.
The following year at REcon we gave a lightning talk about the proposed technique, which was met with scepticism by some. We figured independent rediscovery of the technique was likely (as is often the case in this field) or that someone might reproduce our results publicly based on the presentation; this didn’t happen. As such, we decided to develop the concept further and applied the technique using a real-world vulnerability in an effort to qualify EMET’s overall effectiveness under WoW64. This paper is the result of that research.
"EMET mitigations have been bypassed before. This isn't new."
True. But this technique shows you how to bypass the majority of mitigations in one shot.
This paper is not meant to undermine the importance of having EMET deployed within an organization, but to highlight shortcomings within the current implementation. We are providing this information in the interest of helping defenders deploy EMET with the most effective strategies in mind. EMET continues to raise the bar for attackers and when applied to true (non-WoW64) 32 and 64-bit processes significantly complicates exploitation, often requiring purpose-built bypasses.
You can grab a copy of our paper in PDF format (yeah we know, sorry) here.