[German]US-CERT issued a warning: Microsoft Windows automatically executes code specified in shortcut (LNK) files. This allows attackers to execute malware during viewing a lnk file. A public exploit is available.
It’s Windows again, that has a non fixed vulnerability. US-CERT issued this within its Vulnerability Note VU#824672. Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. Clicking on a LNK or file has essentially the same outcome as clicking on the file that is specified as the shortcut target. Ok, this is the intention of a shortcut file.
Viewing a shortcut file executes code
But there is a caveat, as CERT pointed out:
Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations.
Viewing the location of a shortcut file with Windows Explorer (or other application, that display file icons) is sufficient to trigger the vulnerability.
The origin of this vulnerability is outlined in VU#940193 (CVE-2010-2568). The fix for CVE-2010-2568 and the subsequent fix for CVE-2016-0096 are both insufficient in that they not take into account LNK files that use the SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location of a folder. Such files are able to bypass the whitelisting first implemented in the fix for CVE-2010-2568.
By convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device. Exploit code for this vulnerability is publicly available.
Fix or Workaround to overcome this issue
CERT recommends to apply an update, this issue is addressed in the Microsoft Update for CVE-2017-8464. After applying the update, block connections from Internet to shares.
- Block outgoing SMB traffic: CERT recommends to block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. This helps to prevent machines on the local network from connecting to SMB servers on the internet. This does not remove the vulnerability, but it blocks an attack vector for this and other vulnerabilities.
- Disable WebDAV: A second recommendation is to block connects to network shares using the WebDAV protocol over HTTP.
WebDAV can be disabled at various layers, depending on the requirements of your organization:
- At the client: To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. Note that this may interfere with the ability to access features that utilize WebDAV, such as some aspects of Microsoft SharePoint.
- On the network: WebDAV can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP.
The latter method is discussed within Blocking WebDAV methods for example. Check with your firewall vendor for more details.
Cookies helps to fund this blog: Cookie settings