[AusNOG] .LNK vulnerability

Daniel McNamara daniel at auscert.org.au
Fri Jul 23 09:03:18 EST 2010


As per the MS bulletin:

http://www.microsoft.com/technet/security/advisory/2286198.mspx

This is a locally exploitable vulnerability via USB drives, files shares or
WebDav. Or as the scenarios they describe:

"An attacker could present a removable drive to the user with a malicious
shortcut file, and an associated malicious binary. When the user opens this
drive in Windows Explorer, or any other application that parses the icon of
the shortcut, the malicious binary will execute code of the attacker's
choice on the victim system.

An attacker could also set up a malicious Web site or a remote network share
and place the malicious components on this remote location. When the user
browses the Web site using a Web browser such as Internet Explorer or a file
manager such as Windows Explorer, Windows will attempt to load the icon of
the shortcut file, and the malicious binary will be invoked. In addition, an
attacker could embed an exploit in a document that supports embedded
shortcuts or a hosted browser control"

The later does require the WebDav (WebClient) service to be running on the
end users machine and the browser being able to interface with it.

In most scenarios where this would exploited it would be most likely locally
via USB and files shares ala the way Conficker spread internally.

- Daniel

-----Original Message-----
From: ausnog-bounces at lists.ausnog.net
[mailto:ausnog-bounces at lists.ausnog.net] On Behalf Of Daniel Hood
Sent: Friday, 23 July 2010 8:57 AM
To: ausnog at ausnog.net
Subject: [AusNOG] .LNK vulnerability

List,

Can someone please share how this vulnerability actually works.

I'm wondering whether its a "You visit a .php page thats infected and
your exploited" or whether its a "You click a link on a .php page and
it links to a .lnk file and you download it and run it and your
exploited."?

Can someone please shed some light on this?

Daniel
_______________________________________________
AusNOG mailing list
AusNOG at lists.ausnog.net
http://lists.ausnog.net/mailman/listinfo/ausnog




More information about the AusNOG mailing list