RE: .LNK vulnerbility

[David Bobrosky <ragnar21583 () hotmail com>]

Hey guys
 
Long time reader, first time poster. This is something I ran across recently so I thought I'd share my 2c.
 
The vulnerability that is described in MSA2286189 works more or less like Daniel explained. . The .lnk file is a 
shortcut that targets another file/folder (and here is the kicker) it blindly executes any code within it! With Stuxnet 
it was propagated via pen drives but the initial vector was often a trojan.
 
There is another variant out there right now that has the initial vector as a trojan that we believe is coming from 
social media sites. This variant goes out and finds any mapped drives. It then replaces folders within them with a 
shortcut link and hides the original folder (attrib). The .lnk file executes it's code to then infect any computer that 
accesses the link. This allows it to propagate to anyone who shares the network folders!
 
Some of the in-depth information behind how the vulnerability can be exploited are explained in depth in the Symantec 
site:
 
http://www.symantec.com/connect/blogs/w32stuxnet-installation-details
http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components

> To: dsmhood () gmail com
> CC: security-basics () securityfocus com
> Subject: Re: .LNK vulnerbility
> From: infosec () haverkos com
> Date: Fri, 23 Jul 2010 11:28:58 -0500
>
>
> Daniel Hood <dsmhood () gmail com> writes:
> > List,
> >
> > Can someone please share how this vulnerability actually works.
> >
> > I'm wondering whether its a "You visit a .php page thats infected and
> > your exploited" or whether its a "You click a link on a .php page and
> > it links to a .lnk file and you download it and run it and your
> > exploited."?
> >
> > Can someone please shed some light on this?
> >
> > Daniel
>
> Hi Daniel, 
>
> The most recent thing I've learned is that .PIF files are also an
> attack vector in addition to .LNK. 
>
> The best I was able to make of the ISC writeups and the Microsoft
> advisory (2286198) it was that you get a .LNK file onto the system in
> some fashion (usb drive inserted, it showing up on a network share
> that a user views in explorer, or saved via web page somehow to a
> local file system), and then, when the directory containing the LNK
> file gets viewed in Windows Explorer in the icon view, that's when the
> Bad Things happen.  It struck me as a lot of things having to line up
> in any case other than the "insert infected USB drive" attack vector.
>
> Having autorun disabled does raise the bar a little for the usb or cd
> insertion scenarios, but doesn't eliminate the vulnerability if
> someone manually browses the directory in explorer, as I understand
> it. 
>
> If I'm right about that understanding, didn't strike me as anything
> nearly as effective or threatening as a drive-by download exploit for
> java/flash/reader would be.  I'm not really sure why that was enough
> for the SANS ISC to raise infocon to yellow when there have been
> drive-by exploitable plugin issues for browsers that posed a much
> bigger threat where they didn't go yellow. 
>
> I'd also be curious to know if there's more to the LNK issue than I'm
> understanding it to be.  
>
> It would be a good time, though to remind users that popping a usb
> drive they found in the bathroom, parking lot or lobby into their
> Windows computer to have a look at what's on it is _not_ safe to
> do...then again, that's been true with the existence of things like U3
> autorun ability, USB hacksaw and USB switchblade for quite some time.
> This just represents another USB borne attack vector that isn't
> necessarily dependent on autorun settings. 
>
> Best Regards, 
> --
> Todd Haverkos, LPT MsCompE
> http://haverkos.com/
>
> ------------------------------------------------------------------------
> Securing Apache Web Server with thawte Digital Certificate
> In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, 
> how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, 
> purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for 
> set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital 
> certificates.
>
> http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
> ------------------------------------------------------------------------
                                          
_________________________________________________________________
The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail.
http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4
------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------