New (but really - old) Windows .lnk vulnerability
in [Viruses]
|
Prev: Anti-Virus Best one
Next: Win32/RAMNIT.A Anyone?
From: Virus Guy on 18 Jul 2010 09:55 http://www.microsoft.com/technet/security/advisory/2286198.mspx http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17&pageNumber=1 Example POC code: http://www.exploit-db.com/exploits/14403/ I downloaded "suckme.rar" and renamed "suckme.lnk_" to "suckme.lnk" on my Windows 98 system. The icon turned into a shortcut, but nothing else happened. What should happen on a vulnerable system with this POC? -------------- Computerworld - Microsoft on Friday warned that attackers are exploiting a critical unpatched Windows vulnerability using infected USB flash drives. The bug admission is the first that affects Windows XP Service Pack 2 (SP2) since Microsoft retired the edition from support, researchers said. When Microsoft does fix the flaw, it will not be providing a patch for machines still running XP SP2. In a security advisory, Microsoft confirmed what other researchers had been saying for almost a month: Hackers have been exploiting a bug in Windows "shortcut" files, the placeholders typically dropped on the desktop or into the Start menu to represent links to actual files or programs. According to Microsoft, Windows fails to correctly parse shortcut files, identified by the ".lnk" extension. The flaw has been exploited most frequently using USB flash drives. By crafting a malicious .lnk file, hackers can hijack a Windows PC with little user interaction: All that's necessary is that the user views the contents of the USB drive with a file manager like Windows Explorer. --------------
From: Geoff on 18 Jul 2010 14:09 On Sun, 18 Jul 2010 09:55:45 -0400, Virus Guy <Virus(a)Guy.com> wrote: >http://www.microsoft.com/technet/security/advisory/2286198.mspx >http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17&pageNumber=1 > >Example POC code: > >http://www.exploit-db.com/exploits/14403/ > >I downloaded "suckme.rar" and renamed "suckme.lnk_" to "suckme.lnk" on >my Windows 98 system. The icon turned into a shortcut, but nothing else >happened. > >What should happen on a vulnerable system with this POC? > You didn't follow the directions given with the exploit POC. What does the POC author claim will happen? Is it really a POC or a Trojan? What does the dll.dll do? Did you disassemble the dll? Did the author provide source for the DLL? Is it benign or actually malicious? Why do you think a Win98 system would not be vulnerable? Do you have KD installed on your test system? If you cannot answer these questions correctly I suggest you leave it alone.
From: FromTheRafters on 18 Jul 2010 15:42 "Virus Guy" <Virus(a)Guy.com> wrote in message news:4C4307E1.1DDE0F63(a)Guy.com... > http://www.microsoft.com/technet/security/advisory/2286198.mspx > http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nasty_Windows_zero_day_bug?taxonomyId=17&pageNumber=1 > > Example POC code: > > http://www.exploit-db.com/exploits/14403/ > > I downloaded "suckme.rar" and renamed "suckme.lnk_" to "suckme.lnk" on > my Windows 98 system. The icon turned into a shortcut, but nothing > else > happened. > > What should happen on a vulnerable system with this POC? I don't know what specific output event the POC uses, but I think it wouldn't work on 9x systems anyway as it is specifically targeting NT default shells.
From: Dustin on 18 Jul 2010 16:40 Geoff <geoff(a)invalid.invalid> wrote in news:1gg646hr9lv7tdv1b3vhvou75nfou9o7l8(a)4ax.com: > On Sun, 18 Jul 2010 09:55:45 -0400, Virus Guy <Virus(a)Guy.com> wrote: > >>http://www.microsoft.com/technet/security/advisory/2286198.mspx >>http://www.computerworld.com/s/article/9179299/Microsoft_confirms_nas >>ty_Windows_zero_day_bug?taxonomyId=17&pageNumber=1 >> >>Example POC code: >> >>http://www.exploit-db.com/exploits/14403/ >> >>I downloaded "suckme.rar" and renamed "suckme.lnk_" to "suckme.lnk" >>on my Windows 98 system. The icon turned into a shortcut, but >>nothing else happened. >> >>What should happen on a vulnerable system with this POC? >> > > You didn't follow the directions given with the exploit POC. > > What does the POC author claim will happen? > Is it really a POC or a Trojan? > What does the dll.dll do? > Did you disassemble the dll? > Did the author provide source for the DLL? > Is it benign or actually malicious? > Why do you think a Win98 system would not be vulnerable? > Do you have KD installed on your test system? > > If you cannot answer these questions correctly I suggest you leave > it alone. > Hehe.. Virus Guy isn't a coder... So.. he's just waiting to get himself in trouble I guess. -- There's no worse feeling than that millisecond you're sure you are going to die after leaning your chair back a little too far.
From: Ant on 18 Jul 2010 18:15
"Virus Guy" wrote: > http://www.exploit-db.com/exploits/14403/ > > I downloaded "suckme.rar" and renamed "suckme.lnk_" to "suckme.lnk" on > my Windows 98 system. The icon turned into a shortcut, but nothing else > happened. > > What should happen on a vulnerable system with this POC? OutputDebugStringA("SUCKM3 FROM EXPLORER.EXE MOTH4FUCKA #@!"); In other words, nothing. Debug messages are useful in a debugger but are ignored when an executable containing them is run normally. In any case, the DLL won't be able to load on a Win9x system because of these flags in the PE header: MajorOSVersion = 5 MajorSubsystemVersion = 5 That means the lowest Windows version allowed is 5 (Win2k). |