Security Basics mailing list archives
Re: .LNK vulnerbility
From: vijay upadhyaya <vijay.upadhyaya () gmail com>
Date: Fri, 23 Jul 2010 15:26:59 -0700
This is by far the blog with good analysis on stunext http://siblog.mcafee.com/critical_infrastructure/stuxnet-a-view-from-an-energy-perspective/ On Fri, Jul 23, 2010 at 1:12 PM, Todd Haverkos <infosec () haverkos com> wrote:
Todd Haverkos <infosec () haverkos com> writes:Daniel Hood <dsmhood () gmail com> writes:List, Can someone please share how this vulnerability actually works. I'm wondering whether its a "You visit a .php page thats infected and your exploited" or whether its a "You click a link on a .php page and it links to a .lnk file and you download it and run it and your exploited."? Can someone please shed some light on this? DanielHi Daniel, The most recent thing I've learned is that .PIF files are also an attack vector in addition to .LNK. The best I was able to make of the ISC writeups and the Microsoft advisory (2286198) it was that you get a .LNK file onto the system in some fashion (usb drive inserted, it showing up on a network share that a user views in explorer, or saved via web page somehow to a local file system), and then, when the directory containing the LNK file gets viewed in Windows Explorer in the icon view, that's when the Bad Things happen. It struck me as a lot of things having to line up in any case other than the "insert infected USB drive" attack vector....If I'm right about that understanding,...and I've finally found something that suggests maybe the criticality of this perhaps _isn't_ over-hyped. I found this sentence buried in the US-CERT writeup http://www.kb.cert.org/vuls/id/940193 "With the case of Internet Explorer, no user interaction beyond viewing a web page is required to trigger the vulnerability." Microsoft's advisory is confusing at times to the point where it doesn't mention a web-based attack as a possibility in a very direct way. At least the sentence "or remotely via network shares and WebDAV" in the exec summary didn't hit my ears as "drive-by ownage for users using IE." But apparently that's among the infection vectors. More to your original question Daniel, the best synopsis I've seen: What causes this threat? When attempting to load the icon of a shortcut, the Windows Shell does not correctly validate specific parameters of the shortcut. How could an attacker exploit the vulnerability? An attacker could present a removable drive to the user with a malicious shortcut file, and an associated malicious binary. When the user opens this drive in Windows Explorer, or any other application that parses the icon of the shortcut, the malicious binary will execute code of the attacker.s choice on the victim system. An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location. When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked. In addition, an attacker could embed an exploit in a document that supports embedded shortcuts or a hosted browser control (such as but not limited to Microsoft Office documents). Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
-- Vijay Upadhyaya BS-7799 Lead Auditor CISA CISSP CSGA Nortel ASF Training Certification ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Re: .LNK vulnerbility, (continued)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- RE: .LNK vulnerbility Eggleston, Mark (Jul 23)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- Re: .LNK vulnerbility Shreyas Zare (Jul 23)
- RE: .LNK vulnerbility Eggleston, Mark (Jul 23)
- RE: .LNK vulnerbility faruk (Jul 27)
- RE: .LNK vulnerbility Eggleston, Mark (Jul 23)
- Re: .LNK vulnerbility John Koelndorfer (Jul 23)
- Re: .LNK vulnerbility William Warren (Jul 27)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- RE: .LNK vulnerbility David Bobrosky (Jul 23)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- Re: .LNK vulnerbility vijay upadhyaya (Jul 27)
- Re: .LNK vulnerbility Curt Purdy (Jul 28)