For over a year our enSilo researchers have been looking into hooking engines and injection methods used by different vendors. It all started back in 2015 when we noticed injection issue in AVG but this was only the tip of the iceberg. A few months after that we noticed similar issues in McAfee and Kaspersky Anti-Virus. At that point we decided to extend our research and look into the security implications of hooking engines and injection techniques. The results were depressing.
The problem was not just security products. Our research started by simply installing different Anti-Virus (AV) products and testing how their hooking engines and injection techniques worked. Once we discovered that such problems are prominent in the AV domain, we extended the research to include more security products such as Data Leak Prevention (DLP), Anti-Exploitation and Host Intrusion Prevention Systems (HIPS). However, since the usage of hooking is not limited to security products we also analyzed other types of products such as virtualization applications, performance monitoring and more.
Overall, at enSilo we found 6(!) different common security issues that stem from incorrect implementation of code hooking and injections techniques. These issues were found in more than 15 different products. However, the most impactful discovery was that 3 different hooking engines also suffer from these kind problems, including the most popular commercial hooking engine in the world - Microsoft Detours (scheduled to patch in August). Practically it means that probably thousands of products are affected, incl. Office, meaning that millions of devices are affected by their vulnerability.
In Black Hat 2016 the enSilo team will reveal the full research results in their talk: "Captain Hook: Pirating AVs to Bypass Exploit Mitigations" , taking place on Wednesday August 3rd, 4:20pm-5:10pm at the Jasmine Ballroom (details appear at the end of this post).
In the meanwhile, here’s a short Q&A for some background info on our findings.
Q: Which software is affected?
- Microsoft’s hooking engine, Detours. Quoting Microsoft.com: “Under commercial release for over 10 years, Detours is licensed by over 100 ISVs [independent software vendors] and used within nearly every product team at Microsoft.”
- Trend Micro
- Citrix XenDesktop
We have notified all these vendors throughout the past 8 months. Some of them fixed immediately, such as WebRoot, AVG and BitDefender, while others were slower to patch with a few releasing a fix only in the past month.
Q: How widespread is it? How many users/systems/companies are infected or potentially affected?
Microsoft is the most popular hooking engine in the world, used by more than 100 ISVs, so this could affect potentially millions of users.
Any customer of the above products that is still vulnerable is affected by these flaws. Moreover, in most cases fixing this issue will require recompilation of each product individually which makes patching extremely hard.
Q: What is “hooking”?
Hooking is a technique used by software, such as products that do virtualization, sandboxing and performance monitoring, to monitor and/or change the behavior of operating system functions in order to operate effectively. It’s particularly critical for security products. For example, antivirus software typically uses hooking to allow it to monitor for malicious activity on a system. Most anti-exploitation solutions monitor memory allocation functions in order to detect vulnerability exploitation. A security bug in the hooking function exposes the system to compromise.
Q: What is the potential damage? How might an attacker exploit this?
Most of these vulnerabilities allow an attacker to easily bypass the operating system and third-party exploit mitigations. This means an attacker may be able to easily leverage and exploit these vulnerabilities that would otherwise be very difficult, or even impossible, to weaponize. The worst vulnerabilities would allow the attacker to stay undetected on the victim’s machine or to inject code into any process in the system.
Q: How does one mitigate against it?
Companies using affected software should get patches from the vendors, if available, and demand patches if they aren’t yet available. Customers using software from the affected vendors should contact their vendors and demand that the software be patched.
That said, we are fully aware of the complexity of patching. For this, what's needed is an approach that takes into consideration that the environment is already compromised and instead of trying to keep threat actors from entering the environment, dealing with the fact that they're already within and working towards preventing the consequences (let it be theft, ransoming, or tampering of data).
Q: How long have the vulnerabilities been around?
It’s unclear and depends on the product. We believe that the vulnerability existed already in Detours version 3 which was released about a decade ago so we suspect it’s been there for at least 8 years.
Update (July 20): Clarified that some vendors have fixed this issue immediately, as well as recognizing the patching complexity.
Update (July 24): Updated with Trend Micro.
Join the talk by enSilo's researchers at BlackHat
CAPTAIN HOOK: PIRATING AVS TO BYPASS EXPLOIT MITIGATIONS
Tomer Bitton | VP Research and co-founder, enSilo
Udi Yavo | CTO and co-founder, enSilo
Location: Jasmine Ballroom
Date: Wednesday, August 3 | 4:20pm-5:10pm
Format: 50 Minute Briefing
Put a low-level security researcher in front of hooking mechanisms and you get industry-wide vulnerability notifications, affecting security tools such as Anti-Virus, Anti-Exploitations and DLP, as well as non-security applications such as gaming and productivity tools. In this talk we reveal six(!) different security issues that we uncovered in various hooking engines. The vulnerabilities we found enable a threat actor to bypass the security measures of the underlying operating system. As we uncovered the vulnerabilities one-by-one we found them to impact commercial engines, such as Microsoft's Detours, open source engines such as EasyHook and proprietary engines such as those belonging to TrendMicro, Symantec, Kaspersky and about twenty others.
In this talk we'll survey the different vulnerabilities, and deep dive into a couple of those. In particular, we'll take a close look at a vulnerability appearing in the most popular commercial hooking engine of a large vendor. This vulnerability affects the most widespread productivity applications and forced the vendor to not only fix their engine, but also that their customers fix their applications prior to releasing the patch to the public. Finally, we'll demonstrate how security tools can be used as an intrusion channel for threat actors, ironically defeating security measures.
Visit enSilo's BlackHat Booth at Innovation City to Learn More about Our Real-time Data Protection Platform.
And discover.... who's Uncle Joe?!