A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft’s AppLocker.
A researcher who requested anonymity found and privately disclosed the issue to Microsoft on Tuesday. It’s unknown whether Microsoft will patch this issue with a security bulletin, or in a future release.
Regsvr32, also known as Microsoft Register Server, is a Microsoft-signed binary that runs as default on Windows. The researcher’s proof-of-concept allows him to download and run JavaScript or VBScript from a URL provided via the command line. Abusing this situation presumes an attacker would already be present on the box, the researcher said. Technical details can be found here.
“A lot of whitelisting protections block JavaScript or VBScript; there’s no restriction here,” the researcher told Threatpost. “The fact that the code is hosted on a remote system makes it trivial. And Regsvr32 is proxy- and SSL-aware, meaning there’s no extra configuration needed. You can execute from any remote destination.”
The researcher said the issue was discovered while researching AppLocker bypasses.
“There’s really no patch for this; it’s not an exploit. It’s just using the tool in an unorthodox manner. It’s a bypass, an evasion tactic,” the researcher said.
Complicating matters is that Regsvr32 normally requires admin privileges to run in order to be able to register COM (component object model) objects and DLLs on the operating system.
“Only admins normally run this. In this case, I can run it as a normal user,” the researcher said. “I could call unregistered methods and execute them as a normal user.”
Documentation on Regsvr32 does not indicate that it would accept scripts from the Internet. Recent so-called fileless malware attacks have used Windows PowerShell to download malware from the Internet, and it appears this issue could be abused in a similar way.
The researcher said that attacks using this method would be tough to detect.
“There are not many artifacts left on the box to indicate it ran,” the researcher said, adding that a command line auditing tool such as SysMon would log that someone ran Regsvr32 with a URL in the parameter. “Because the file is downloaded from a URL, there would be a minimal footprint. I’m not sure there would be much left on the system to indicate it ran.”