Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/8/2018
04:38 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
50%
50%

CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard

The new technique would enable attackers to inject malicious content into Microsoft Edge and other protected processes.

A new attack method lets attackers bypass Microsoft's Code Integrity Guard (CIG) and inject malicious code into protected processes, including Microsoft Edge. Researchers at Morphisec this week disclosed the details of the technique and proof-of-concept code.

CIG is a mitigation that was first introduced in Windows 10 in 2015, and later became part of Device Guard. It restricts loaded images to those signed by Microsoft, WQL, and in some cases, the Microsoft Store. The biggest benefit of CIG, researchers report, is it stops unauthorized code loading from adware and malware that has already infected the system. If an app is protected with CIG, it's protected from other compromised parts of the same machine.

This technique, dubbed CIGslip, was discovered by researchers learning how to protect the Edge browser, explains Michael Gorelik, CTO and vice president of R&D at Morphisec. The team wanted to see how they would test their protect and load DLL without the process of signing. Edge is protected by CIG, as are several processes in the latest version of Windows 10.

CIGslip bypasses CIG's security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.

"We found this very easy technique … I'm really surprised no one uses it," Gorelik says. "This technique allowed us to load any DLL we wanted, any model we wanted, into any protected CIG process without triggering any alert notification."

CIGslip could have "serious destructive potential" if it gains popularity among cybercriminals, Gorelik writes in a blog post. Windows users are vulnerable in several ways, he reports, and businesses running Windows machines should understand the potential damage.

"We do see CIG as a very important concept that blocked a major amount of adversaries and malware that tried to inject into the Edge browser," says Gorelik. Attackers could bypass CIG to steal passwords or browser history, or affect processes running outside Edge.

"With this technique I can download the same adware and malware and load it into the Edge browser, or any other process," he explains.

The CIGslip method is sneaky. "You don't know you're attacked unless you're monitoring and okaying every single process in the system," Gorelik continues. "You definitely need to do strict detection for this."

Morphisec approached Microsoft with its findings because "we considered it a very critical and serious vulnerability," says Gorelik. Microsoft claims CIGslip is "outside the scope of CIG," he explains, and the company explains its reasoning for this in its bounty terms. While this doesn't mean Microsoft will never address the problem, it also won't prioritize it.

Microsoft reports CIG was not designed to protect against the scenario Morphisec researchers are describing, and a different tool was created to defend machines from this type of attack.

"Our security feature known as Windows Defender Application Control (WDAC) protects our customers against the technique described," a spokesperson says. "The Code Integrity Guard (CIG) feature was not designed to address this scenario."

The biggest implication, according to Morphisec, is attackers could use CIGslip to inject browser malware or adware. However, there is also potential for vendors to manipulate this method. CIG makes it harder for third-party security vendors to protect Edge because they need a DLL signed by Microsoft for each protective process. Some might inject protective code outside Microsoft's signing process.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Modern Day Insider Threat: Network Bugs That Are Stealing Your Data
David Pearson, Principal Threat Researcher,  10/21/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27187
PUBLISHED: 2020-10-26
An issue was discovered in KDE Partition Manager 4.1.0 before 4.2.0. The kpmcore_externalcommand helper contains a logic flaw in which the service invoking D-Bus is not properly checked. An attacker on the local machine can replace /etc/fstab, and execute mount and other partitioning related command...
CVE-2020-7752
PUBLISHED: 2020-10-26
This affects the package systeminformation before 4.27.11. This package is vulnerable to Command Injection. The attacker can concatenate curl's parameters to overwrite Javascript files and then execute any OS commands.
CVE-2020-7127
PUBLISHED: 2020-10-26
A remote unauthenticated arbitrary code execution vulnerability was discovered in Aruba Airwave Software version(s): Prior to 1.3.2.
CVE-2020-7196
PUBLISHED: 2020-10-26
The HPE BlueData EPIC Software Platform version 4.0 and HPE Ezmeral Container Platform 5.0 use an insecure method of handling sensitive Kerberos passwords that is susceptible to unauthorized interception and/or retrieval. Specifically, they display the kdc_admin_password in the source file of the ur...
CVE-2020-7197
PUBLISHED: 2020-10-26
SSMC3.7.0.0 is vulnerable to remote authentication bypass. HPE StoreServ Management Console (SSMC) 3.7.0.0 is an off node multiarray manager web application and remains isolated from data on the managed arrays. HPE has provided an update to HPE StoreServ Management Console (SSMC) software 3.7.0.0* U...