Tech

You can run any app on Windows machines by exploiting this security flaw

A weakness in the AppLocker system could allow an attacker to run any app on a Windows PC. [Updated]

Written by Charlie Osborne, Contributing Writer April 25, 2016 at 1:45 a.m. PT

[Update 9.29 BST: Microsoft statement]

The Windows command line utility Regsvr32.exe can be exploited to bypass Microsoft Windows AppLocker protection systems, potentially leading to remote code execution.

The security flaw can be used to circumvent the app whitelist protections offered by AppLocker on business editions of Windows, versions 7 and beyond, by using the command line utility to point to a file or location controlled by an attacker.

As a result, files and scripts can be used to run an app on a Windows system.

Security

Security researcher Casey Smith, also known as "subTee," says the security flaw can be exploited without admin rights or privileged access.

In a blog post, the researcher said that COM+ scripts -- XML documents which register COM objects for use in a PC's internal system -- can be created to bypass AppLocker, and it only takes a script block and deregistering the script to remove the need for admin rights.

In addition, the exploit does not require any tampering which leaves any tracks, a bonus for attackers attempting to hide their activities.

COM+ scripts, otherwise known as .SCT files, are not limited to local access, and so Smith was able to pull up script remotely. As the command line utility is also proxy and network aware, an intruder could cause havoc in a system once a PC is compromised.

"All you need to do is host your .SCT file at a location you control," the researcher said. "It's not well documented that Regsvr32.exe can accept a url for a script. In order to trigger this bypass, place the code block, either VB or JS inside the < registration > element."

A proof-of-concept (PoC) code is available on GitHub.

There is currently no patch for the security flaw. In the meantime, however, you can block Regsvr32.exe with Windows Firewall to mitigate the problem.

A Microsoft spokesperson told ZDNet:

"Windows is the only platform with a customer commitment to investigate reported security issues, and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection. Our standard policy is to provide solutions via our current Update Tuesday schedule."