Vulnerability in Windows "LNK" files?

Published: 2010-07-16
Last Updated: 2010-07-18 21:17:04 UTC
by Joel Esler (Version: 4)
17 comment(s)

We've received plenty of information over the past couple days about this alleged vulnerability in Windows's "lnk" file, and it's use against "SCADA" networks.

http://www.theregister.co.uk/2010/07/16/windows_shortcut_trojan/

http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

UPDATE:  Two of our Handlers have copies of it now on their analyzation systems.  Thank you, we will analyze it.

UPDATE 2:  We have been notified via our comments that Symantec has definitions for this malware as well now.

-- Joel Esler | http://blog.joelesler.net | http://twitter.com/joelesler

UPDATE 3 (from Bojan):

Microsoft posted the advisory about the vulnerability in Windows Shell that has been exploited in some targeted attacks (the advisory is at http://www.microsoft.com/technet/security/advisory/2286198.mspx).

I've tested the exploit and can confirm that it works in Windows XP, Vista and Windows 7. The exploit uses a specially crafted LNK file. This file allows the attacker to execute an arbitrary file by carefully specifying its location – the LNK file in itself does not exploit any vulnerability such as buffer overflows, for example, so it is a legitimate LNK file. The LNK file used in targeted attacks was manually crafted as some fields that are normally present, such as CreationTime, AccessTime or WriteTime are all set to 0.

I will not be posting details about how the exploit works, but here are some things that you should be aware of:

  • If autorun is disabled, when a USB device with malicious LNK files is inserted, the exploit will not be triggered automatically.
  • The exploit is triggered every time a folder containing a malicious LNK files is opened (for example, with Windows Explorer). It does not matter where this folder is – it does not have to be on a USB device, but in order to execute to malicious binary, the attacker has to specify its location correctly.

What makes this vulnerability extremely serious is the fact that it can be opened from any place, including remote shares, for example. The victim just has to browse to the remote share in order to trigger the vulnerability. So double check permissions on any remote shares you use in your companies (you shouldn't allow users to write in root folders, for example).

Some AV vendors started adding detection for these LNK files, although it is still very, very bad.

We will, of course, keep an eye on the development of this.

UPDATE 4 (from Bojan):

A PoC that exploits this vulnerability has been posted today. I would recommend everyone to take a look at Microsoft's advisory that is available at http://www.microsoft.com/technet/security/advisory/2286198.mspx, especially the workarounds section ("Disable the displaying of icons for shortcuts").

--

Bojan

Keywords: lnk
17 comment(s)

Comments

Don't know if it'll help, but I saw this on F-Secure's blog a couple days ago.

http://www.f-secure.com/weblog/archives/00001986.html

http://www.f-secure.com/weblog/archives/00001987.html

Don't know if it'll help, but I saw this on F-Secure's blog a couple days ago.

http://www.f-secure.com/weblog/archives/00001986.html

http://www.f-secure.com/weblog/archives/00001987.html

Symantec has definitions
http://www.symantec.com/security_response/writeup.jsp?docid=2010-071400-3123-99
Does anyone have an md5 for this, that they wouldn't mind sharing?
Jamal, the f-secure item above (http://www.f-secure.com/weblog/archives/00001986.html) points to a analysis by VirusBlokAda. It points at VirusTotal which has hashes.
Microsoft have released an advisory for this:

* Microsoft Security Advisory (2286198)
- Title: Vulnerability in Windows Shell Could Allow
Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
- Revision Note: V1.0 (July 16, 2010) Advisory published.

Microsoft have released an advisory for this:

* Microsoft Security Advisory (2286198)
- Title: Vulnerability in Windows Shell Could Allow
Remote Code Execution
- http://www.microsoft.com/technet/security/advisory/2286198.mspx
- Revision Note: V1.0 (July 16, 2010) Advisory published.

MS suggests disabling the WebClient service. Wonder what applications that breaks?
Michael, this is good news. According to http://support.microsoft.com/kb/832161 ,
'Note You can disable the WebClient service as long as you do not have to modify or write files on Web Distributed Authoring and Versioning (WebDAV) servers.'

For a few years now, I have routinely disabled this service on every Windows PC I use since I learned that it speeds up browsing/using network shares.
I released a new version of my tool Ariad to mitigate this .LNK exploitation.
http://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-with-ariad/

As Ariad is a system driver and works in the Kernel, be sure to test this first on machines you can trash.

Diary Archives