itman 1,806 Posted July 21, 2016 Posted July 21, 2016 (edited) hxxp://breakingmalware.com/vulnerabilities/captain-hook-pirating-avs-bypass-exploit-mitigations/ The most impactful discovery was that 3 different hooking engines also suffer from these kind problems, including the most popular commercial hooking engine in the world – Microsoft Detours (scheduled patch, August 2016). Practically it means that thousands of products are affected.User-mode hooks are used by most of the end-point security vendors today, specifically Anti-Virus (AV) products, and Anti-Exploitation products such as EMET. Beyond their usage in security, hooks are used in other invasive applications such as Application Performance Management (APM) technologies to track performance bottlenecks.Hooking itself is a very intrusive coding operation where function calls (mainly operating system functions) are intercepted in order to alter or augment their behavior.Given the sensitivity of hooking implementations, we sought to find their robustness. For our research, we investigated more than a dozen popular security products. Our findings were depressing – we revealed six different security problems and vulnerabilities stemming from this practice. Edited July 21, 2016 by itman
Administrators Marcos 5,462 Posted July 22, 2016 Administrators Posted July 22, 2016 So far we don't know any details about those vulnerabilities as we haven't been contacted by the guys. They claim to have contacted affected vendors, however. Details should be disclosed at the upcoming Black Hat conference.
itman 1,806 Posted July 22, 2016 Author Posted July 22, 2016 So far we don't know any details about those vulnerabilities as we haven't been contacted by the guys. They claim to have contacted affected vendors, however. Details should be disclosed at the upcoming Black Hat conference. I am assuming at this point that Eset is not an issue since I believe it developed its HIPS internally "from the ground up." The AV vendors mentioned all using one of the three commercial hooking engines referenced in the article e.g. HackTool SDK, MadCodeHook, EasyHook, etc..
Recommended Posts