Sunday, July 25, 2010

Microsoft Shortcut LNK Autoexecution Vulnerability

Microsoft Shortcut LNK Autoexecution Vulnerability

This is a new USB infection vector using LNK (shortuct) vulnerability on ALL Windows platform.

The interesting thing of this vulnearbility is that you no longer need AutoPlay enabled but you still can run the specified program ;) See the demo below.

Before we proceed, lets see the LNK file format which is the culprit:


Starting from the GREEN region, that is SHELL_ITEM_LIST which is documented in MSDN. The file location is defined after SHITEMID structure.Notice that the shell CLSID for My Computer & Control Panel in GREEN region:

My Computer: {20d04fe0-3aea-1069-a2d8-08002b30309d}
Control Panel: {21ec2o2o-3aea-1o69-a2dd-08002b30309d}

These shells are defined so that it will be handled by shell32.dll which is the caused of autoexecution. For more technical information on how autoexecution happened, there is a nice debug screenshot from ivanlef0u who is the first person posted this exploit publicly ;) Check this out: http://www.exploit-db.com/exploits/14403/

Microsoft's workaround on this 0-day vulnearbility: http://support.microsoft.com/kb/2286198

Demo Video

This demo is a simple one and mostly based on ivanlef0u's one with some minor modification. The dll is simple enough which I include the source code in the attachment section. Have fun :)


Attachment

Executable files: Bin
Simple DLL & LNK file: Src


Reference

[1] http://www.microsoft.com/technet/security/advisory/2286198.mspx -- Microsoft Advisory CVE-2010-2568

[2] http://www.stdlib.com/art6-Shortcut-File-Format-lnk.html -- Shorcut LNK File Format

[3] http://msdn.microsoft.com/en-us/library/bb759800%28VS.85%29.aspx -- SHITEMID Structure

[4] http://www.symantec.com/connect/blogs/w32stuxnet-installation-details -- Symantec Stuxnet Technical Info - Part I
 
[5] http://www.symantec.com/connect/blogs/distilling-w32stuxnet-components -- Symantec Stuxnet Technical Info - Part II 

[6] http://www.f-secure.com/v-descs/trojan-dropper_w32_stuxnet.shtml -- F-Secure Stuxnet Description

Signing off @x9090

4 comments:

Anonymous said...

Hi,
This is a nice project and example. Question, how do you compile your sample code? thank you!

x9090 said...

Hey,

Thanks for the comment.

I would rather answer your question here together with the one you sent to my email so that other would see how to do that.

> To compile the source code
This is simple, you only need any c/c++ compiler. I used Visual Studio 2008 but you can use the free one like MinGW, Dev-C++ and etc

> To rename dll to something
> else.. will i have to change
> anything in the LNK file
Yes, you need to customize the LNK file in this case either from the sample LNK file that I provided or you can create your own. There are complete documentation about LNK file format beside the one I provided.

Good luck!

Signing off
@x9090

Luke said...

I am having an issue compiling your code. I have Microsoft Visual C++ 2010 and it wont let me open your project. When I try to copy and paste your code over it doesnt work. Am I missing something?

x9090 said...

Hi Luke,

It would be helpful if you could show me the error message you got.

Signing off
@x9090