[German]Italian security researchers have developed a concept to leverage the exploit protection control flow guard supported in Windows 8.1 up to Windows 10 (and the server counterparts). The concept will be presented to the public at Black Hat Asia.
Advertising
The site darkreading.com reported here the findings of the security researchers at the University of Padua (Italy).
What it Control Flow Guard (cfg)?
Control Flow Guard (CFG) is a highly optimized platform security feature developed by Microsoft. The aim is to combat or mitigate the exploitation of weak points with regard to memory corruption. This is done by strict control from where an application can execute code. This makes it much more difficult for exploits to execute malicious code through vulnerabilities such as buffer overflows. According to this Microsoft document, CFG extends existing exploit mitigation technologies such as /GS, DEP and ASLR (Address Space Randomization Layer).
CFG is supported from Microsoft Visual Studio 2015 upward, but need to be activated during compiling a program. It can be used on "CFG aware" versionen of Windows, which are x86 and x64 versions of Windows 10 and Windows 8.1 Update (KB3000850) for desktop and the Windows Server pendants. Details about the technology may be reader here.
Design vulnerabilities allow bypassing
Researchers at the University of Padua in Italy now claim to have found a fundamental design flaw that allows Control Flow Guard (CFG) to be completely bypassed.
As already explained above, CFG limits the control flow of the program by ensuring that the sequence in which a program executes functions – follows certain valid paths. For this purpose, CFG limits indirect calls or jumps – for example using function pointers – to a "permitted" target. This is determined during compilation, says Andrea Biondo, computer science student at the University of Padua. "So an attacker can't just hijack the execution of[Program Execution] to any location."
Advertising
As the University of Padua researchers explain in a technical document describing their exploit, Microsoft has made some compromises in CFG to meet performance and downward compatibility requirements. And these compromises open up a CFG design flaw that gives attackers a way to call parts of code – or gadgets – that shouldn't be allowed. These code parts can be combined to completely circumvent CFG restrictions..
The restriction [control flow] is only precise if the allowed targets are aligned to 16 bytes,"says Biondo. "If they're not, there's a 16-byte inaccuracy around the target." This can be used by attackers to bypass CFG. An evaluation of the Windows system libraries revealed many exploitable code points (gadgets) that are loaded by almost all Windows applications on 32-bit systems and web browsers on 64-bit systems, the security researchers say. By combining the presence of non-aligned targets in shared libraries with the predictability of the layout of the functions generated by the compiler, we can bypass CFG,"writes Biondi in the technical document.
The researchers named their exploit as a Back to the Epilogue (BATE) attack and described it as a generic bypass for Microsoft's Control Flow Guard. The proof-of-concept code shall be presented by the researchers at the Black Hat Asia Conference in Singapore, at the end of the month. This will be used by BATE on Microsoft's Windows 10 (64-bit) Edge browser, says Biondo. The Edge vulnerabilities used have been known for a long time, and the only goal is to show that BATE can be exploited in real-world attacks.
According to Biondo, BATE differs from other flow integrity bypass techniques, such as Endgames Counterfeit Object-Oriented Programming (COOP) from last August. Addendum: Starting with Windows 10 version 1803 the whole thing should be fixed. And in April 2018 will come updates for the Windows build that support CFG. It'll all get better till the next hole. (via)
