New (but really - old) Windows .lnk vulnerability
in [Viruses]
|
Prev: Anti-Virus Best one
Next: Win32/RAMNIT.A Anyone?
From: FromTheRafters on 21 Jul 2010 20:29 "Ant" <not(a)home.today> wrote in message news:d--dnYad28aXHtrRnZ2dnUVZ8nqdnZ2d(a)brightview.co.uk... > "Ant" wrote: > >> This works on Win2k but I don't know about 9x. > > I've now tested it on NT 4.0 (where it works) and Win 95 (where it > doesn't). Double-clicking on the shortcut launches control panel on 95 > but still won't run the DLL. > > The bug has been around for so long that I'm surprised it hasn't been > exploited earlier. Reminds me of the WMF vulnerability but worse. ....or this: http://en.wikipedia.org/wiki/Format_string_attack Sometimes, the blackhats can keep a secret for an extended period.
From: Virus Guy on 21 Jul 2010 22:13 Ant wrote: > > This works on Win2k but I don't know about 9x. > > I've now tested it on NT 4.0 (where it works) and Win 95 (where it > doesn't). Double-clicking on the shortcut launches control panel > on 95 but still won't run the DLL. Same for Win-98se. According to an MSDN article by Microsoft , Win-9x/me shortcut (lnk) files use ansi coding for the target filespec, but NT-based systems use unicode. This means there are two slightly different forms for lnk files. http://msdn.microsoft.com/en-us/library/bb774950.aspx My experimentation today on win-98 and XP-sp3 systems tells me that *both* systems understand and are compatible with *both* types of lnk files, but win-98 natively creates ansi-coded lnk files, while XP creates unicode files. But as you say, win-9x systems are not vulnerable to the unicode-coded .lnk files that are in current circulation. The exploit is created by performing some minimal editing of .lnk files that point to a DLL file that must be present in the root directory of a named drive. Relational paths don't seem to work. The exploit causes the DLLMain routine in the DLL to execute when the .lnk file is made visible in an explorer window. Normally, the windows shell retrieves the icon bitmap from the dll to use as the icon to render the .lnk shortcut, but this exploit apparently triggers DLLMain to be executed instead. The target of these malicious .lnk files must be regular or normal DLL files (even if they are renamed to something else). They can't be exe or some other type of file. The DLL file would also be malicious and must be paired with the .lnk file to work as a total exploit. The most workable form of this exploit would be that both the .lnk and the DLL file be present in the root directory of a removable drive (flash most likely) and that multiple copies of the .lnk file would be present - because there is no way to know before-hand if the flash drive is drive d: or e: or f: (etc) on a given system. Microsoft most likely knew of this exploit for some time (months, maybe longer) and was planning to use this as a big stick to get people to drop using win-2k and XP-sp1/sp2. It's very coincidental that Win-2k and XP-SP2 went EOL one week before this exploit was announced. That means no patch for them.
From: Bullwinkle on 22 Jul 2010 06:31 You are still a thief, dope head and liar. "Dustin" <bughunter.dustin(a)gmail.com> wrote in message news:Xns9DBCC35C07C34HHI2948AJD832(a)69.16.185.247... "Bullwinkle" <BDTJ(a)loa.mo> wrote in news:4c472e68(a)news.x-privat.org: <snip> top posting fuckwit. -- "I like your Christ. I I don't like your Christians. They are so unlike your Christ." - author unknown.
From: Bullwinkle on 22 Jul 2010 06:32 As one of bd's errand boys you would probably tell him. cookie thinks you are a top posting fuckwit. "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in message news:i27e81$3jg$1(a)news.eternal-september.org... Then how would *he* know? "Bullwinkle" <BDTJ(a)loa.mo> wrote in message news:4c472e68(a)news.x-privat.org... > Surely your other buddy on PMSNBC (Chris Leg Tingle Mathews) > would make a breaking new announcement. > > Nice that those of you in the inner circle stick together. > > Cookie needs all the help you and davey can muster. > > > "FromTheRafters" <erratic(a)nomail.afraid.org> wrote in message > news:i26pu9$uf4$1(a)news.eternal-september.org... > "Bullwinkle" <BDTJ(a)loa.mo> wrote in message > news:4c46e075$1(a)news.x-privat.org... > > [...] > >> Looks like you lied about reporting davey boy! > > How would you (or anyone) know? > > What outwardly obvious event were you expecting? FOX breaking news? An > article on The Register? Snopes? > >
From: Ant on 22 Jul 2010 10:44
"FromTheRafters" wrote: > "Ant" wrote: >> The bug has been around for so long that I'm surprised it hasn't been >> exploited earlier. Reminds me of the WMF vulnerability but worse. > > ...or this: > > http://en.wikipedia.org/wiki/Format_string_attack > > Sometimes, the blackhats can keep a secret for an extended period. An old problem, indeed, but not at all similar. It's not an auto- execute thing. Any program written in C or other languages using printf-like functions with a variable number of arguments and accepting unchecked input is a risk. That's just very bad programming; really, a newbie mistake. |