Abstract

Over the past many years, there’ve been a plethora of security solutions available for Windows-based end points; many users and administrators have difficulty in assessing their strengths and weaknesses. Interestingly, many of these solutions are basically helpless against kernelmode malicious code. Each kernel patch/0day creates a hole for organizations that goes unnoticed by most.

In this talk, we will take the recent public exploit for EPATHOBJ Windows kernel vulnerability and show that with some tweaks, we can use it to bypass application sandboxes, AV, HIPS, rootkit detectors, EMET and SMEP – even if these solutions are stacked one upon other. We simply keep on tweaking the exploit until we bypass every security software that you would expect on a corporate user machine. This highlights the fact that “defense in depth” based on simultaneous deployment of multiple solutions sharing the same weakness is not satisfactory; we postulate the need for defensive methods that are immune to kernelmode exploits, and discuss the possible implementations.

The issue is far from theoretical – the modern malware (e.g. TDL4) is already using this particular EPATHOBJ exploit to gain privileges. Also, the Windows kernel vulnerabilities are frequent, and this is not going to change anytime soon – we have to live with them and be able to defend against them.