Skip to content
April 29, 2014 / Rafal Wojtczuk

“Bypassing endpoint protections” @ BSides London

This week I presented at BSides London. The talk is titled “Layers on layers: bypassing endpoint protection”. The purpose of this talk is to reiterate on the (well-known) common weakness of most endpoint protection products – their reliance on kernel integrity. Once the attacker achieves arbitrary code execution in the kernel, there is no barrier left that would prevent from tampering with kernel-based security software.

Particularly, I will show that by enhancing the public exploit for EPATHOBJ vulnerability with a custom kernel payload, it is possible to break many protections in a generic way. It does not help if multiple products are layered up together – if they all depend on kernel integrity, then a single kernel vulnerability (which are plenty on Windows) can result in the compromise.

In this talk, we stack up various Layers of security technologies and then use the custom kernel exploit to ultimately bypass them all. The layers tested for this presentation are: Anti Virus, Host IPS, App Sandboxes, EMET, Kernel Rootkit Detectors and Intel SMEP.

I think the most interesting pieces of the presentation will be another technique to conveniently bypass SMEP and the overview of methods of injecting code into usermode processes from the kernel (all on Windows platform). The slides explain the technique with more details.

 

P.S: As obvious, no extra effort was needed to bypass AV or EMET as these can’t do much for kernel mode attacks

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: