Vulnerabilities / Threats

3/8/2018
04:38 PM
Connect Directly
Twitter
LinkedIn
Google+
RSS
E-Mail
50%
50%

CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard

The new technique would enable attackers to inject malicious content into Microsoft Edge and other protected processes.

A new attack method lets attackers bypass Microsoft's Code Integrity Guard (CIG) and inject malicious code into protected processes, including Microsoft Edge. Researchers at Morphisec this week disclosed the details of the technique and proof-of-concept code.

CIG is a mitigation that was first introduced in Windows 10 in 2015, and later became part of Device Guard. It restricts loaded images to those signed by Microsoft, WQL, and in some cases, the Microsoft Store. The biggest benefit of CIG, researchers report, is it stops unauthorized code loading from adware and malware that has already infected the system. If an app is protected with CIG, it's protected from other compromised parts of the same machine.

This technique, dubbed CIGslip, was discovered by researchers learning how to protect the Edge browser, explains Michael Gorelik, CTO and vice president of R&D at Morphisec. The team wanted to see how they would test their protect and load DLL without the process of signing. Edge is protected by CIG, as are several processes in the latest version of Windows 10.

CIGslip bypasses CIG's security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.

"We found this very easy technique … I'm really surprised no one uses it," Gorelik says. "This technique allowed us to load any DLL we wanted, any model we wanted, into any protected CIG process without triggering any alert notification."

CIGslip could have "serious destructive potential" if it gains popularity among cybercriminals, Gorelik writes in a blog post. Windows users are vulnerable in several ways, he reports, and businesses running Windows machines should understand the potential damage.

"We do see CIG as a very important concept that blocked a major amount of adversaries and malware that tried to inject into the Edge browser," says Gorelik. Attackers could bypass CIG to steal passwords or browser history, or affect processes running outside Edge.

"With this technique I can download the same adware and malware and load it into the Edge browser, or any other process," he explains.

The CIGslip method is sneaky. "You don't know you're attacked unless you're monitoring and okaying every single process in the system," Gorelik continues. "You definitely need to do strict detection for this."

Morphisec approached Microsoft with its findings because "we considered it a very critical and serious vulnerability," says Gorelik. Microsoft claims CIGslip is "outside the scope of CIG," he explains, and the company explains its reasoning for this in its bounty terms. While this doesn't mean Microsoft will never address the problem, it also won't prioritize it.

Microsoft reports CIG was not designed to protect against the scenario Morphisec researchers are describing, and a different tool was created to defend machines from this type of attack.

"Our security feature known as Windows Defender Application Control (WDAC) protects our customers against the technique described," a spokesperson says. "The Code Integrity Guard (CIG) feature was not designed to address this scenario."

The biggest implication, according to Morphisec, is attackers could use CIGslip to inject browser malware or adware. However, there is also potential for vendors to manipulate this method. CIG makes it harder for third-party security vendors to protect Edge because they need a DLL signed by Microsoft for each protective process. Some might inject protective code outside Microsoft's signing process.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
White House Cybersecurity Strategy at a Crossroads
Kelly Jackson Higgins, Executive Editor at Dark Reading,  7/17/2018
The Fundamental Flaw in Security Awareness Programs
Ira Winkler, CISSP, President, Secure Mentem,  7/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-3770
PUBLISHED: 2018-07-20
A path traversal exists in markdown-pdf version <9.0.0 that allows a user to insert a malicious html code that can result in reading the local files.
CVE-2018-3771
PUBLISHED: 2018-07-20
An XSS in statics-server <= 0.0.9 can be used via injected iframe in the filename when statics-server displays directory index in the browser.
CVE-2018-5065
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Use-after-free vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.
CVE-2018-5066
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have an Out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2018-5067
PUBLISHED: 2018-07-20
Adobe Acrobat and Reader 2018.011.20040 and earlier, 2017.011.30080 and earlier, and 2015.006.30418 and earlier versions have a Heap Overflow vulnerability. Successful exploitation could lead to arbitrary code execution in the context of the current user.