Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/8/2018
04:38 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard

The new technique would enable attackers to inject malicious content into Microsoft Edge and other protected processes.

A new attack method lets attackers bypass Microsoft's Code Integrity Guard (CIG) and inject malicious code into protected processes, including Microsoft Edge. Researchers at Morphisec this week disclosed the details of the technique and proof-of-concept code.

CIG is a mitigation that was first introduced in Windows 10 in 2015, and later became part of Device Guard. It restricts loaded images to those signed by Microsoft, WQL, and in some cases, the Microsoft Store. The biggest benefit of CIG, researchers report, is it stops unauthorized code loading from adware and malware that has already infected the system. If an app is protected with CIG, it's protected from other compromised parts of the same machine.

This technique, dubbed CIGslip, was discovered by researchers learning how to protect the Edge browser, explains Michael Gorelik, CTO and vice president of R&D at Morphisec. The team wanted to see how they would test their protect and load DLL without the process of signing. Edge is protected by CIG, as are several processes in the latest version of Windows 10.

CIGslip bypasses CIG's security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.

"We found this very easy technique … I'm really surprised no one uses it," Gorelik says. "This technique allowed us to load any DLL we wanted, any model we wanted, into any protected CIG process without triggering any alert notification."

CIGslip could have "serious destructive potential" if it gains popularity among cybercriminals, Gorelik writes in a blog post. Windows users are vulnerable in several ways, he reports, and businesses running Windows machines should understand the potential damage.

"We do see CIG as a very important concept that blocked a major amount of adversaries and malware that tried to inject into the Edge browser," says Gorelik. Attackers could bypass CIG to steal passwords or browser history, or affect processes running outside Edge.

"With this technique I can download the same adware and malware and load it into the Edge browser, or any other process," he explains.

The CIGslip method is sneaky. "You don't know you're attacked unless you're monitoring and okaying every single process in the system," Gorelik continues. "You definitely need to do strict detection for this."

Morphisec approached Microsoft with its findings because "we considered it a very critical and serious vulnerability," says Gorelik. Microsoft claims CIGslip is "outside the scope of CIG," he explains, and the company explains its reasoning for this in its bounty terms. While this doesn't mean Microsoft will never address the problem, it also won't prioritize it.

Microsoft reports CIG was not designed to protect against the scenario Morphisec researchers are describing, and a different tool was created to defend machines from this type of attack.

"Our security feature known as Windows Defender Application Control (WDAC) protects our customers against the technique described," a spokesperson says. "The Code Integrity Guard (CIG) feature was not designed to address this scenario."

The biggest implication, according to Morphisec, is attackers could use CIGslip to inject browser malware or adware. However, there is also potential for vendors to manipulate this method. CIG makes it harder for third-party security vendors to protect Edge because they need a DLL signed by Microsoft for each protective process. Some might inject protective code outside Microsoft's signing process.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-11559
PUBLISHED: 2019-09-17
A reflected Cross-site scripting (XSS) vulnerability in HRworks V 1.16.1 allows remote attackers to inject arbitrary web script or HTML via the URL parameter to the Login component.
CVE-2019-15729
PUBLISHED: 2019-09-17
An issue was discovered in GitLab Community and Enterprise Edition 8.18 through 12.2.1. An internal endpoint unintentionally disclosed information about the last pipeline that ran for a merge request.
CVE-2016-10983
PUBLISHED: 2019-09-17
The ghost plugin before 0.5.6 for WordPress has no access control for wp-admin/tools.php?ghostexport=true downloads of exported data.
CVE-2016-10984
PUBLISHED: 2019-09-17
The echosign plugin before 1.2 for WordPress has XSS via the inc.php page parameter.
CVE-2016-10985
PUBLISHED: 2019-09-17
The echosign plugin before 1.2 for WordPress has XSS via the templates/add_templates.php id parameter.