If you are interested in the effectiveness of Microsoft’s free Enhanced Mitigation Experience Toolkit (EMET) read Gal Badashi at the Security Bits blog post Tweaking Metasploit Modules to Bypass EMET – Part 1. He takes a released Metasploit exploit and payload and tries to bypass EMET security.
Those new to EMET should watch Microsoft’s Suha Can’s presentation at S4 2012. This is potentially a powerful tool for ICS owner/operators who have an unresponsive or out of business vendor who will not fix known vulnerabilities in legacy SCADA or DCS applications. It was never positioned to make an application impregnable. Rather the idea is EMET will break most exploits and payloads that are downloaded in exploit frameworks and require the attacker to do some modification to the code. This will stop a large number of threats, but obviously not the more talented and motivated.
In his post, Gal tries the Poison Ivy exploit on a Windows XP SP3 system. He succeeds in bypassing EMET, but in three ways it is an EMET success.
- In this example, the payload had to be modified to work
- In his process of learning how to bypass EMET, EMET displayed multiple warnings that someone was attacking the system. Detection.
- Exploit/payload combinations are likely to require different modifications so there is no general solution to bypassing EMET — at least not yet
Paradoxically the more popular EMET becomes, the less effective it is likely to be. If EMET is widely used then exploit writers will have a design goal of bypassing EMET. This is not true today with the myriad of exploits and payloads available in the popular tools.
This was only Part 1 of a blog series. Let’s see how EMET performs in his future examples.