Re: .LNK vulnerbility

[Todd Haverkos <infosec () haverkos com>]

Daniel Hood <dsmhood () gmail com> writes:
> List,
>
> Can someone please share how this vulnerability actually works.
>
> I'm wondering whether its a "You visit a .php page thats infected and
> your exploited" or whether its a "You click a link on a .php page and
> it links to a .lnk file and you download it and run it and your
> exploited."?
>
> Can someone please shed some light on this?
>
> Daniel

Hi Daniel, 

The most recent thing I've learned is that .PIF files are also an
attack vector in addition to .LNK. 

The best I was able to make of the ISC writeups and the Microsoft
advisory (2286198) it was that you get a .LNK file onto the system in
some fashion (usb drive inserted, it showing up on a network share
that a user views in explorer, or saved via web page somehow to a
local file system), and then, when the directory containing the LNK
file gets viewed in Windows Explorer in the icon view, that's when the
Bad Things happen.  It struck me as a lot of things having to line up
in any case other than the "insert infected USB drive" attack vector.

Having autorun disabled does raise the bar a little for the usb or cd
insertion scenarios, but doesn't eliminate the vulnerability if
someone manually browses the directory in explorer, as I understand
it. 

If I'm right about that understanding, didn't strike me as anything
nearly as effective or threatening as a drive-by download exploit for
java/flash/reader would be.  I'm not really sure why that was enough
for the SANS ISC to raise infocon to yellow when there have been
drive-by exploitable plugin issues for browsers that posed a much
bigger threat where they didn't go yellow. 

I'd also be curious to know if there's more to the LNK issue than I'm
understanding it to be.  

It would be a good time, though to remind users that popping a usb
drive they found in the bathroom, parking lot or lobby into their
Windows computer to have a look at what's on it is _not_ safe to
do...then again, that's been true with the existence of things like U3
autorun ability, USB hacksaw and USB switchblade for quite some time.
This just represents another USB borne attack vector that isn't
necessarily dependent on autorun settings. 

Best Regards, 
--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------