New (but really - old) Windows .lnk vulnerability

Discussion in 'Virus Information' started by Virus Guy, Jul 18, 2010.

  1. Virus Guy

    Virus Guy Guest

    http://www.microsoft.com/technet/security/advisory/2286198.mspx
    http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17&pageNumber=1

    Example POC code:

    http://www.exploit-db.com/exploits/14403/

    I downloaded "suckme.rar" and renamed "suckme.lnk_" to "suckme.lnk" on
    my Windows 98 system. The icon turned into a shortcut, but nothing else
    happened.

    What should happen on a vulnerable system with this POC?

    --------------
    Computerworld - Microsoft on Friday warned that attackers are exploiting
    a critical unpatched Windows vulnerability using infected USB flash
    drives.

    The bug admission is the first that affects Windows XP Service Pack 2
    (SP2) since Microsoft retired the edition from support, researchers
    said. When Microsoft does fix the flaw, it will not be providing a patch
    for machines still running XP SP2.

    In a security advisory, Microsoft confirmed what other researchers had
    been saying for almost a month: Hackers have been exploiting a bug in
    Windows "shortcut" files, the placeholders typically dropped on the
    desktop or into the Start menu to represent links to actual files or
    programs.

    According to Microsoft, Windows fails to correctly parse shortcut files,
    identified by the ".lnk" extension. The flaw has been exploited most
    frequently using USB flash drives. By crafting a malicious .lnk file,
    hackers can hijack a Windows PC with little user interaction: All that's
    necessary is that the user views the contents of the USB drive with a
    file manager like Windows Explorer.
    --------------
     
    Virus Guy, Jul 18, 2010
    #1
    1. Advertisements

  2. I don't know what specific output event the POC uses, but I think it
    wouldn't work on 9x systems anyway as it is specifically targeting NT
    default shells.
     
    FromTheRafters, Jul 18, 2010
    #2
    1. Advertisements

  3. Virus Guy

    Dustin Guest

    Hehe.. Virus Guy isn't a coder... So.. he's just waiting to get himself
    in trouble I guess.
     
    Dustin, Jul 18, 2010
    #3
  4. Virus Guy

    Virus Guy Guest

    Can the .lnk example file be modified - to do something more visible
    (and not OS-specific) ?

    Like launch calc.exe?
     
    Virus Guy, Jul 18, 2010
    #4
  5. Virus Guy

    Dustin Guest

    Who are you to tell me to go anyplace? You top posting fuckwit.



    --
    Too cold to start a fire. I'm burning diesel burning dinosaur bones. I'll
    take the river down to still water and ride a pack of dogs!
    But I'm gonna break. I'm gonna break my... I'm gonna break my rusty cage
    and run.. Yea i'm gonna break.. I'm gonna break my... I'm gonna break my
    rusty cage... and run!
     
    Dustin, Jul 19, 2010
    #5
  6. [...]
    How would you (or anyone) know?

    What outwardly obvious event were you expecting? FOX breaking news? An
    article on The Register? Snopes?
     
    FromTheRafters, Jul 21, 2010
    #6
  7. Then how would *he* know?

     
    FromTheRafters, Jul 21, 2010
    #7
  8. Virus Guy

    C.L. Uck Guest

    HoopleHead alert.

    :
    : > Go away hacker!
    :
    : Who are you to tell me to go anyplace? You top posting fuckwit.
    :
    :
    :
    : --
    : Too cold to start a fire. I'm burning diesel burning dinosaur bones. I'll
    : take the river down to still water and ride a pack of dogs!
    : But I'm gonna break. I'm gonna break my... I'm gonna break my rusty cage
    : and run.. Yea i'm gonna break.. I'm gonna break my... I'm gonna break my
    : rusty cage... and run!
     
    C.L. Uck, Jul 21, 2010
    #8
  9. Virus Guy

    Dustin Guest

    <snip>

    top posting fuckwit.
     
    Dustin, Jul 22, 2010
    #9
  10. ....or this:

    http://en.wikipedia.org/wiki/Format_string_attack

    Sometimes, the blackhats can keep a secret for an extended period.
     
    FromTheRafters, Jul 22, 2010
    #10
  11. Virus Guy

    Virus Guy Guest

    Same for Win-98se.

    According to an MSDN article by Microsoft , Win-9x/me shortcut (lnk)
    files use ansi coding for the target filespec, but NT-based systems use
    unicode. This means there are two slightly different forms for lnk
    files.

    http://msdn.microsoft.com/en-us/library/bb774950.aspx

    My experimentation today on win-98 and XP-sp3 systems tells me that
    *both* systems understand and are compatible with *both* types of lnk
    files, but win-98 natively creates ansi-coded lnk files, while XP
    creates unicode files. But as you say, win-9x systems are not
    vulnerable to the unicode-coded .lnk files that are in current
    circulation.

    The exploit is created by performing some minimal editing of .lnk files
    that point to a DLL file that must be present in the root directory of a
    named drive. Relational paths don't seem to work. The exploit causes
    the DLLMain routine in the DLL to execute when the .lnk file is made
    visible in an explorer window. Normally, the windows shell retrieves
    the icon bitmap from the dll to use as the icon to render the .lnk
    shortcut, but this exploit apparently triggers DLLMain to be executed
    instead.

    The target of these malicious .lnk files must be regular or normal DLL
    files (even if they are renamed to something else). They can't be exe
    or some other type of file. The DLL file would also be malicious and
    must be paired with the .lnk file to work as a total exploit. The most
    workable form of this exploit would be that both the .lnk and the DLL
    file be present in the root directory of a removable drive (flash most
    likely) and that multiple copies of the .lnk file would be present -
    because there is no way to know before-hand if the flash drive is drive
    d: or e: or f: (etc) on a given system.

    Microsoft most likely knew of this exploit for some time (months, maybe
    longer) and was planning to use this as a big stick to get people to
    drop using win-2k and XP-sp1/sp2.

    It's very coincidental that Win-2k and XP-SP2 went EOL one week before
    this exploit was announced. That means no patch for them.
     
    Virus Guy, Jul 22, 2010
    #11
  12. Virus Guy

    C.L. Uck Guest

    Bottom posting HoopleHead Net Nanny.
    :
    :
    : <snip>
    :
    : top posting fuckwit.
    :
    :
    : --
    : "I like your Christ. I I don't like your Christians. They are so unlike
    : your Christ." - author unknown.
     
    C.L. Uck, Jul 22, 2010
    #12
  13. No need to suggest I am doing anything related to bd. That's just your
    own way of coping with opinions that don't agree with yours. Must be a
    conspiracy when so many people don't have your particular world view.

    You are a mind reader now, or did Dustin contact you privately to share
    that information?

    I bottom posted to your original post, you *should* have 'followed
    suit', so to speak, and continued the style that I set (or gone with
    inline style). You didn't, so...*you're* the top posting fuckwit - all I
    did was toppost in reply to your toppost. I followed suit since you were
    evidently incapable of grasping the concept of following suit (i.e., you
    are a fuckwit).
     
    FromTheRafters, Jul 22, 2010
    #13
  14. Virus Guy

    Virus Guy Guest

    Won't matter. The malformed .lnk file (as published) doesn't work on
    9x/ME.
    No I'm not.
    We are not talking about "many API functions".

    I made a correct statement about how the filespec is coded in shortcut
    files as created by win-9x/me vs NT.
    In general, Win-9x/me is (was) designed to handle string structures
    coded in ANSI, while NT was coded to handle both ANSI and Unicode
    (double-byte). Some east-asian versions of 9x can natively handle
    double-byte strings (but technically these are not unicode strings).

    In late 2001, Microsoft released Unicode support for win-9x/me, which I
    believe is implimented in unicows.dll.
    If you create a shortcut under XP and compare it to a shortcut created
    under 9x, you'll see that apart from the "IsUnicode" flag and perhaps
    one other attribute byte, the only difference will be the coding of the
    target filespec.

    I did not say that the only difference between the two versions was
    unicode vs ansi target coding, but it is A major difference.
    If the target filespec is contained in a STRING_DATA structure in a
    shortcut file, then how can you say that such a structure could be
    absent from a shortcut file?
    Naturally that bit is not set in 9x shortcuts. That's how you know the
    target filespec is ANSI-coded.

    And by the way, 9x/me can still handle unicode (or "NT-style") shortcuts
    just fine.
    From my own testing and investigation.
     
    Virus Guy, Jul 22, 2010
    #14
  15. I'm reasonably sure that Ant is capable of otherwise "porting" it for
    Win ME to test for himself whether or not there is an exploitable
    vulnerability in ME's shell.
     
    FromTheRafters, Jul 22, 2010
    #15
  16. Virus Guy

    Virus Guy Guest

    I didn't say he wasn't capable.

    I'm saying that there isin't enough of a difference in ME's shell
    compared to win-98se that would make it vulnerable to this exploit.
     
    Virus Guy, Jul 23, 2010
    #16
  17. Not at all similar, except in respect to the surprise aspect you mentioned.
    Sometimes things are around for a long time before knowledge of them becomes
    public.
     
    FromTheRafters, Jul 25, 2010
    #17
  18. I see. I was just reacting to the "as published" .lnk file. The 'as
    published' exploit may have been NT *vector* specific but not actually
    exclusive (once ported) as a demonstatable vulnerability for 9x.
     
    FromTheRafters, Jul 25, 2010
    #18
  19. Virus Guy

    Dustin Guest

    I could have sworn this exploit had been discussed several years ago...
     
    Dustin, Jul 25, 2010
    #19
  20. A decade in the case of format string attacks.
     
    FromTheRafters, Jul 26, 2010
    #20
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.