CIGslip Lets Attackers Bypass Microsoft Code Integrity Guard

The new technique would enable attackers to inject malicious content into Microsoft Edge and other protected processes.

Kelly Sheridan, Former Senior Editor, Dark Reading

March 8, 2018

3 Min Read
Dark Reading logo in a gray background | Dark Reading

A new attack method lets attackers bypass Microsoft's Code Integrity Guard (CIG) and inject malicious code into protected processes, including Microsoft Edge. Researchers at Morphisec this week disclosed the details of the technique and proof-of-concept code.

CIG is a mitigation that was first introduced in Windows 10 in 2015, and later became part of Device Guard. It restricts loaded images to those signed by Microsoft, WQL, and in some cases, the Microsoft Store. The biggest benefit of CIG, researchers report, is it stops unauthorized code loading from adware and malware that has already infected the system. If an app is protected with CIG, it's protected from other compromised parts of the same machine.

This technique, dubbed CIGslip, was discovered by researchers learning how to protect the Edge browser, explains Michael Gorelik, CTO and vice president of R&D at Morphisec. The team wanted to see how they would test their protect and load DLL without the process of signing. Edge is protected by CIG, as are several processes in the latest version of Windows 10.

CIGslip bypasses CIG's security mechanisms while mimicking natural Windows DLL loading from the disk. The technique abuses a non-CIG enabled process, the most popular form of process on Windows, to inject code into a CIG-protected target process. This serves as an entry point for an attacker to load any kind of code, malicious or benign, into Microsoft Edge.

"We found this very easy technique … I'm really surprised no one uses it," Gorelik says. "This technique allowed us to load any DLL we wanted, any model we wanted, into any protected CIG process without triggering any alert notification."

CIGslip could have "serious destructive potential" if it gains popularity among cybercriminals, Gorelik writes in a blog post. Windows users are vulnerable in several ways, he reports, and businesses running Windows machines should understand the potential damage.

"We do see CIG as a very important concept that blocked a major amount of adversaries and malware that tried to inject into the Edge browser," says Gorelik. Attackers could bypass CIG to steal passwords or browser history, or affect processes running outside Edge.

"With this technique I can download the same adware and malware and load it into the Edge browser, or any other process," he explains.

The CIGslip method is sneaky. "You don't know you're attacked unless you're monitoring and okaying every single process in the system," Gorelik continues. "You definitely need to do strict detection for this."

Morphisec approached Microsoft with its findings because "we considered it a very critical and serious vulnerability," says Gorelik. Microsoft claims CIGslip is "outside the scope of CIG," he explains, and the company explains its reasoning for this in its bounty terms. While this doesn't mean Microsoft will never address the problem, it also won't prioritize it.

Microsoft reports CIG was not designed to protect against the scenario Morphisec researchers are describing, and a different tool was created to defend machines from this type of attack.

"Our security feature known as Windows Defender Application Control (WDAC) protects our customers against the technique described," a spokesperson says. "The Code Integrity Guard (CIG) feature was not designed to address this scenario."

The biggest implication, according to Morphisec, is attackers could use CIGslip to inject browser malware or adware. However, there is also potential for vendors to manipulate this method. CIG makes it harder for third-party security vendors to protect Edge because they need a DLL signed by Microsoft for each protective process. Some might inject protective code outside Microsoft's signing process.

Related Content:

 

 

 

Black Hat Asia returns to Singapore with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier solutions and service providers in the Business Hall. Click for information on the conference and to register.

About the Author

Kelly Sheridan

Former Senior Editor, Dark Reading

Kelly Sheridan was formerly a Staff Editor at Dark Reading, where she focused on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial services. Sheridan earned her BA in English at Villanova University. You can follow her on Twitter @kellymsheridan.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights