Friday, August 13, 2010

Microsoft LNK Exploit CVE-2010-2568

A new infection vector was found on July 2010. It uses LNK files to automatically execute DLL files without user intervention.

Shortcuts
These LNK files, also called Shortcut files, are not your usual shortcuts that any user can create with a click. It requires the the user to have the knowledge of the LNK file format, the Control Panel's CLSID and creation of a DLL file to craft the LNK exploit. The shortcut file has an extension of .LNK which can be seen from the command prompt. If you drag the LNK file to notepad you can see its contents, other text editors would load the target file instead of the lnk file. You need a hex/binary viewer for the file to be read it properly though.

The LNK Exploit
The exploit is not actually an exploit but rather a feature that is used by system shortcuts. Detecting the CLSID alone is prone to false positives but Microsoft already issued a workaround to disable this feature which can result to an ugly Program menu. Most users would rather ignore the workaround and hope they don't bumped into some malicous LNK files.

WebDAV Danger
The ugly part of this is that the LNK can only be sent to wreak havoc. The target file can be hosted on any server that acts as a shared folder known as WebDAV. Think of this scenario, you've downloaded file from P2P networks using your favorite client. By default, the client selects all the files you need to download. Once finished, you visit the folder and access your file. By visiting the folder with a crafted lnk file in it, you've already infected your computer without you clickin the lnk file.

Prevention
In order to prevent from being infected using this new vector, you need to have a firewall activated to prevent files outside your network from executing. The LNK file requires the target DLL to be on the specified path pointed by the LNK file. The dangerous part even though you have a firewall is when the target path of the LNK file also contains the DLL file. This is a scenario if you've downloaded a file that contains the LNK and the DLL in your DOWNLOADS folder. So far, there's no way of crafting a LNK file that points to its working directory.