Bandizip自带的有签名程序RegDll64.exe可被用于加载任意DLL

[yihan chen]

官方人员你好：

最近一些网络论坛上有人发现Bandizip自带的有签名程序RegDll64.exe可被用于加载任意DLL，以下是帖子内容：

现象

安装Bandizip后，在安装目录下的 data 文件夹里，有两个exe文件：

RegDll.x64.exe   RegDll.x86.exe
直接双击这两个exe，会弹出命令行帮助窗口，显示支持的各种操作参数。

这两个exe都有一个共同特点：拥有Bandizip官方的有效数字签名。这意味着它们在被执行时，会被Windows和大多数安全软件视为可信程序。

帮助信息提示，RegDll64.exe支持的功能包括：注册DLL、卸载DLL、直接加载并调用指定DLL中的指定函数、添加或删除系统PATH、重启资源管理器。

其中最需要注意的是calldll这个功能，可以让这个有签名的exe加载任意DLL文件并执行其中的函数。只需要一条命令行：

[powershell]

RegDll64.exe /calldll 任意DLL.dll 函数名

测试结果如下：

结果DLL被成功加载，弹窗正常弹出。

这是典型的白加黑攻击：白文件是RegDll64.exe，有合法数字签名；黑DLL是攻击者准备的恶意DLL；执行方式是通过命令行让白文件加载黑DLL。

攻击者只需要一个BAT脚本，一个DLL就能在有签名掩护的情况下执行任意恶意代码。这种方式可以绕过部分依赖静态签名检测的安全软件。

另外几个接口也可能被滥用：addpath可以把恶意目录加到系统PATH中实现持久化；restartexplorer可以配合其他操作；regdll可以注册或卸载系统DLL。

总结：这不算传统意义上的CVE漏洞，但仍然有很高的安全风险。

附件：上图测试中需要的工具

https://drive.google.com/file/d/1i6VRj8v5jYJ4pBqLW5RxgPv8Q_V0SeiD/view?usp=sharing

[KH Park]

Hello. This is Bandisoft.


* Windows already includes tools such as regsvr32.exe that can load and invoke DLL functions. Therefore, the ability of RegDll.x64.exe to call a DLL function is not considered a security vulnerability.

* Windows also provides utilities such as setx.exe that can modify the PATH environment variable. Therefore, the addpath feature of RegDll.x64.exe is not considered a security vulnerability either.

If an attacker is already able to execute arbitrary scripts or commands on a remote system, there are many built-in Windows tools that provide capabilities equal to or greater than those offered by RegDll.x64.exe.

For these reasons, we do not consider the reported behavior to be a security issue.


Best regards,
Park, KH

--
You received this message because you are subscribed to the Google Groups "Bandizip for Windows forum" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bandizip-win...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/bandizip-win/5fe92556-ff3f-4f72-a363-17fb824a5ecfn%40googlegroups.com.