Security Basics mailing list archives
RE: .LNK vulnerbility
From: David Bobrosky <ragnar21583 () hotmail com>
Date: Fri, 23 Jul 2010 10:09:08 -0700
Hey guys Long time reader, first time poster. This is something I ran across recently so I thought I'd share my 2c. The vulnerability that is described in MSA2286189 works more or less like Daniel explained. . The .lnk file is a shortcut that targets another file/folder (and here is the kicker) it blindly executes any code within it! With Stuxnet it was propagated via pen drives but the initial vector was often a trojan. There is another variant out there right now that has the initial vector as a trojan that we believe is coming from social media sites. This variant goes out and finds any mapped drives. It then replaces folders within them with a shortcut link and hides the original folder (attrib). The .lnk file executes it's code to then infect any computer that accesses the link. This allows it to propagate to anyone who shares the network folders! Some of the in-depth information behind how the vulnerability can be exploited are explained in depth in the Symantec site: http://www.symantec.com/connect/blogs/w32stuxnet-installation-details http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components
To: dsmhood () gmail com CC: security-basics () securityfocus com Subject: Re: .LNK vulnerbility From: infosec () haverkos com Date: Fri, 23 Jul 2010 11:28:58 -0500 Daniel Hood <dsmhood () gmail com> writes:List, Can someone please share how this vulnerability actually works. I'm wondering whether its a "You visit a .php page thats infected and your exploited" or whether its a "You click a link on a .php page and it links to a .lnk file and you download it and run it and your exploited."? Can someone please shed some light on this? DanielHi Daniel, The most recent thing I've learned is that .PIF files are also an attack vector in addition to .LNK. The best I was able to make of the ISC writeups and the Microsoft advisory (2286198) it was that you get a .LNK file onto the system in some fashion (usb drive inserted, it showing up on a network share that a user views in explorer, or saved via web page somehow to a local file system), and then, when the directory containing the LNK file gets viewed in Windows Explorer in the icon view, that's when the Bad Things happen. It struck me as a lot of things having to line up in any case other than the "insert infected USB drive" attack vector. Having autorun disabled does raise the bar a little for the usb or cd insertion scenarios, but doesn't eliminate the vulnerability if someone manually browses the directory in explorer, as I understand it. If I'm right about that understanding, didn't strike me as anything nearly as effective or threatening as a drive-by download exploit for java/flash/reader would be. I'm not really sure why that was enough for the SANS ISC to raise infocon to yellow when there have been drive-by exploitable plugin issues for browsers that posed a much bigger threat where they didn't go yellow. I'd also be curious to know if there's more to the LNK issue than I'm understanding it to be. It would be a good time, though to remind users that popping a usb drive they found in the bathroom, parking lot or lobby into their Windows computer to have a look at what's on it is _not_ safe to do...then again, that's been true with the existence of things like U3 autorun ability, USB hacksaw and USB switchblade for quite some time. This just represents another USB borne attack vector that isn't necessarily dependent on autorun settings. Best Regards, -- Todd Haverkos, LPT MsCompE http://haverkos.com/ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
_________________________________________________________________ The New Busy is not the too busy. Combine all your e-mail accounts with Hotmail. http://www.windowslive.com/campaign/thenewbusy?tile=multiaccount&ocid=PID28326::T:WLMTAGL:ON:WL:en-US:WM_HMP:042010_4 ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- .LNK vulnerbility Daniel Hood (Jul 23)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- RE: .LNK vulnerbility Eggleston, Mark (Jul 23)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- Re: .LNK vulnerbility Shreyas Zare (Jul 23)
- RE: .LNK vulnerbility Eggleston, Mark (Jul 23)
- RE: .LNK vulnerbility faruk (Jul 27)
- RE: .LNK vulnerbility Eggleston, Mark (Jul 23)
- Re: .LNK vulnerbility John Koelndorfer (Jul 23)
- Re: .LNK vulnerbility William Warren (Jul 27)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- RE: .LNK vulnerbility David Bobrosky (Jul 23)
- Re: .LNK vulnerbility Todd Haverkos (Jul 23)
- Re: .LNK vulnerbility vijay upadhyaya (Jul 27)
- Re: .LNK vulnerbility Curt Purdy (Jul 28)
- <Possible follow-ups>
- RE: .LNK vulnerbility krymson (Jul 27)