Morphisec security researchers warn of a newly discovered attack vector that allows attackers to bypass Microsoft’s Code Integrity Guard (CIG) in order to load malicious libraries into protected processes.
Dubbed CIGslip, the new attack vector relies on manipulating the manner in which CIG functions, thus bypassing its controls without the need to inject unsigned image code pages into memory. With a low footprint on the targeted system and likely to go unnoticed, the attack has great damaging potential.
The security researchers have already reported their findings to Microsoft, along with a proof-of-concept, but the software giant responded that the technique is outside the scope of CIG. Because of that, Morphisec believes that “Windows users are vulnerable in multiple ways.”
“The attack POC takes advantage of a non-CIG enabled process, which is the most popular form of process on Windows, in order to sneak into a CIG-enabled target process, and uses it as an entry point to load any kind of DLL, including a malicious one,” the researchers say.
By abusing CIGslip, an attacker could insert browser malware or adware, Morphisec claims, arguing that it is difficult for third-party security solutions to defend CIG protected process without Microsoft-signed DLLs.
Introduced in Windows 10 as an improved protection for Microsoft Edge, CIG would prevent the “injection of DLLs into the browser unless they are Windows components or signed device drivers.”
According to Morphisec, the mechanism is efficient at blocking malware and adware already on the computer, but also makes it “harder for third party security vendors to apply runtime protection for any CIG protected processes.”
In order to compromise a targeted process, one would have to perform reflective memory based injection, which works against CIG protected processes too, the security researchers say. This technique, however, can generally be detected and Microsoft does not consider it within the scope of bounty programs.
According to Morphisec, however, CIG can be bypassed without any in-memory injection of unsigned image code pages. The newly discovered method, the security firm says, mimics natural Windows DLL loading from disk.
The technique is based on the assumption that the attacker can execute a non-CIG protected process on disk, given that “there is no feasible way to protect all processes with CIG.” Since a CIG-protected process is able to execute a non-CIG protected process, the attacker would focus on backward injection, attempting to bypass “the CIG verification during the section create in the target process.”
“In order to detour the code integrity verification, we would need to hijack the control when the section is created within the targeted process,” Morphisec notes.
The section handlers are managed by Kernel and could be duplicated between processes, the researchers explain. Thus, “section that correlated to a non-signed DLL could be created within the context of the malicious process and then duplicated into the target process.”
Thus, Morphisec discovered that the injection of a malicious, non-signed DLL into a target process would require hooking the createsection method within the target process to return the duplicated section handle. Given that createsection returns an already existing verified section handle, the verification of the section is successful and the targeted process maps the DLL code page into its memory.
“The risks inherent in this new technique, which can be used or is possibly in use already, are high as the attack has very low footprint on the system and will go undetected by almost all security mechanisms,” Morphisec says.