CyberArk, an enterprise security company that recently discovered a hooking technique for Intel processors that would allow attackers to install rootkits after having already compromised Windows systems, is now back with a discovery of a new hooking technique called “BoundHook.”
BoundHook Technique
Hooking techniques give you control over the way an operating system or a piece of software behaves. Hooks are used by software security tools, system utilities, programming tools, and malicious software such as rootkits.
BoundHook is not an exploitation technique, which means the attacker can’t directly take advantage of the BoundHook vulnerability to take over a system. Instead, it allows the attacker to maintain persistence on a system as a rootkit and bypass any operating system-level security measures that may try to get rid of it. However, before all of that, the attacker would need a different way to infect a user’s system (email attachments, malicious ads, etc).
Technical Details
The BoundHook technique can be used to cause an exception (an anomalous condition requiring special processing) in a very specific location in a user-mode context and catch the exception to gain control over the thread execution.
The exception can be created via a BOUND instruction, which is part of Intel’s Memory Protection Extensions (MPX). The instruction is designed to increase software security by checking pointer references, which can be exploited at runtime due to memory corruption bugs.
The CyberArk researchers said that most anti-virus solutions will not be able to detect when the attacker uses the BoundHook technique because they have to look specifically for it (this could change now that this research is published, though).
The technique is also invisible to most Windows PatchGuard kernel protection mechanisms, for the same reason. The PatchGuard protections would have to look specifically for hooks that bypass the Copy-on-Write (COW) mechanism.
Microsoft Won’t (Can’t?) Fix The Vulnerability
Microsoft told CyberArk that it will not address this issue in the current versions of Windows, but it will consider fixing it in a future Windows version:
We have completed our investigation of this issue and have found that it is not a vulnerability but a technique to avoid detection once the machine is already compromised. Because it's a post-exploitation technique it doesn't meet the bar for servicing in a security update but we will consider fixing it in a future version of Windows.
Like with GhostHook, it’s possible that Microsoft can’t fully fix the issue on its own, and it may have to wait for Intel to fix it or mitigate it in hardware first.
