COMMSEC: Disarming EMET 5.52


This talk will present  a new disarming flaw that can be used to prevent all anti-ROP checks in EMET 5.5x from ever being performed. The disarming condition is caused by the fact that references to the read-only CONFIG_STRUCT are always retrieved from the process heap (which has a PAGE_READWRITE protection). This is obfuscated by the usage of DecodePointer throughout EMET.

Presentation Outline

  • Short introduction of EMET
  • Short introduction of info leak / RW-primitive requirement
  • Recap of Offensive Security research on disarming EMET 4.1 and 5.0 and how these disarms got fixed.
  • New disarming flaw identification
  • New disarming flaw exploitation
  • Purpose of EAF, what changed in EMET 5.5x and how to bypass it

Location: Track 4 / CommSec Date: April 13, 2017 Time: 10:45 am - 11:15 am Niels Warnars