pixel_dreams - Fotolia
Application whitelisting protection that depends on Windows AppLocker can be bypassed using a Windows command-line utility dating back to Windows XP, a security researcher has reported. When paired with a script hosted on a remote host, the vulnerability would allow an attacker to run software not on the Windows AppLocker whitelist.
The utility, Regsvr32, is meant to be used to "register and unregister OLE [Object Linking and Embedding] controls, such as [dynamic link libraries] and ActiveX controls in the Windows Registry," according to Microsoft. But researcher Casey Smith reported the command can point to a URL, rather than to a local script; a script hosted at that URL will execute, bypassing Windows AppLocker whitelisting restrictions.
"The amazing thing here is that Regsvr32 is already proxy-aware, uses [Transport Layer Security], follows redirects, etc.," Smith wrote, noting that the utility is also "a signed, default MS binary," which simplifies any attack using the vulnerability.
"This technique is potentially dangerous in the hands of a skilled attacker," according to Robert Sadowski, marketing director at RSA, based in Bedford, Mass.
"The attacker would need to have access to a victim's machine, but would not need to have admin rights," Sadowski said. "They would be able to run scripts that would normally be blocked by AppLocker's script-blocking functionality."
Smith's proof-of-concept scripts demonstrate the potential this attack has for doing damage, and Sadowski said it could be used in the wild for phishing or for drive-by exploits. "It's also dangerous because it's difficult to detect; it happens directly through a built-in Windows command, and the only trace is a single cached file in Internet Explorer -- nothing in the Windows registry," Sadowski said.
Günter Ollmann, CSO at Vectra Inc., an automated threat management vendor based in San Jose, Calif., said the Windows AppLocker bypass is "an interesting example of legacy code and backward functional compatibility" that hackers can exploit to defeat newer security measures.
"It should be no surprise to any seasoned systems administrator that bypasses such as this one lie in wait of any host-based blocking technology. The dark and forgotten passages of MS-DOS command-line functionality and registry manipulation are a consistent bugbear for those trying to secure the Windows desktop," Ollmann said. "Where documentation exists, it is scant and almost cryptic -- so, those with a keen eye and the time to experiment stumble across these kinds of bypasses regularly."
"If you have the Windows AppLocker installed in order to prevent intrusions or malware infections, this could be a very dangerous vulnerability. The risks of this are high if it is not fixed right away," said Daniel Ford, security engineer and forensic analyst at Indianapolis-based managed security services provider Rook Security Inc.
"Being able to whitelist applications and stop other unauthorized applications from running is a big protection that many companies employ. A good example of what could happen is that if you install the Windows AppLocker to defend against malware exfiltrating data, then this vulnerability can be used to circumvent that protection."
Ford recommended not relying on Windows AppLocker. "Make sure to have multiple layers of security like up-to-date antivirus, and IDS/IPS [intrusion detection system/intrusion prevention system], firewall and other security tools. When a patch comes out for this vulnerability, it is prudent that it gets fixed right away," he said.
"The easiest way to secure your environment right now is to block Regsvr32 at the firewall level, denying it Internet access," wrote Chris Tulumba, an IT infrastructure security consultant. "Note that you need to block both the 32 and 64-bit versions. It's a good idea to block .sct files on your inbound email security filters, as well, as this exploit could be used in a phishing attack."
Learn some of the most useful Windows command-line commands.
Find out more about how Windows AppLocker can be used to protect Remote Desktop Services applications.