Sunday, July 25, 2010

Microsoft Shortcut LNK Autoexecution Vulnerability

Microsoft Shortcut LNK Autoexecution Vulnerability

This is a new USB infection vector using LNK (shortuct) vulnerability on ALL Windows platform.

The interesting thing of this vulnearbility is that you no longer need AutoPlay enabled but you still can run the specified program ;) See the demo below.

Before we proceed, lets see the LNK file format which is the culprit:


Starting from the GREEN region, that is SHELL_ITEM_LIST which is documented in MSDN. The file location is defined after SHITEMID structure.Notice that the shell CLSID for My Computer & Control Panel in GREEN region:

My Computer: {20d04fe0-3aea-1069-a2d8-08002b30309d}
Control Panel: {21ec2o2o-3aea-1o69-a2dd-08002b30309d}

These shells are defined so that it will be handled by shell32.dll which is the caused of autoexecution. For more technical information on how autoexecution happened, there is a nice debug screenshot from ivanlef0u who is the first person posted this exploit publicly ;) Check this out: http://www.exploit-db.com/exploits/14403/

Microsoft's workaround on this 0-day vulnearbility: http://support.microsoft.com/kb/2286198

Demo Video

This demo is a simple one and mostly based on ivanlef0u's one with some minor modification. The dll is simple enough which I include the source code in the attachment section. Have fun :)


Attachment

Executable files: Bin
Simple DLL & LNK file: Src


Reference

[1] http://www.microsoft.com/technet/security/advisory/2286198.mspx -- Microsoft Advisory CVE-2010-2568

[2] http://www.stdlib.com/art6-Shortcut-File-Format-lnk.html -- Shorcut LNK File Format

[3] http://msdn.microsoft.com/en-us/library/bb759800%28VS.85%29.aspx -- SHITEMID Structure

[4] http://www.symantec.com/connect/blogs/w32stuxnet-installation-details -- Symantec Stuxnet Technical Info - Part I
 
[5] http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components -- Symantec Stuxnet Technical Info - Part II 

[6] http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml -- F-Secure Stuxnet Description

Signing off @x9090