Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

by **ssj100** 25/7/2010, 12:16

aigle wrote:hi ssj100! Nice testing indeed. Can you tect threatfire too? thanks

Welcome aigle - nice to see you here. Hope you're enjoying Linux. Windows with all its flaws and vulnerabilities is more interesting though right haha.

I actually thought about testing Threatfire but decided not to - I felt no one used it anymore. But since you asked, I'll give it a go at some point.

Zero_One wrote:Would be nice to see some of the more mainstream av products tested too

I don't think any of them would block this POC, as it's just a POC and there's nothing to black-list. Kaspersky may be the only exception though, as it has some sort of HIPS component. From memory, Private Firewall does as well, although I remember I wasn't too impressed with it when I tried it last year.

The problem with testing eg. Kaspersky Internet Security Suite is that it's often not easy to find a valid trial for it etc. If someone can link me to a valid trial of the relevant program, I'd be happy to test it against this POC.

by aigle 26/7/2010, 06:36

Zero_One wrote:
I have a reconfigured dll that pops up a message box instead of sending debug messages, makes it easier to test if anyone is interested (it's harmless of course).

pls send it to me as well. thanks. i sent u a PM too.

by aigle 26/7/2010, 06:37

ssj100 wrote:
aigle wrote:hi ssj100! Nice testing indeed. Can you tect threatfire too? thanks

Welcome aigle - nice to see you here. Hope you're enjoying Linux. Windows with all its flaws and vulnerabilities is more interesting though right haha.

thanks. yes i am using ubuntu mainly but windows is a lot of fun.

by **ssj100** 26/7/2010, 07:00

Hey aigle, it seems Threatfire has integrated with Spyware Doctor with Antivirus? I think I'll just test that entire suite:
http://www.threatfire.com/download/

EDIT: the Trial version of the entire suite doesn't appear to have all features available. Anyway, for those wanting to know, the Trial version of Spyware Doctor with Antivirus doesn't do anything against this POC.

by aigle 26/7/2010, 09:19

Threatfire free version is with out anti virus.

by **ssj100** 26/7/2010, 09:22

Tested the free version and maxed out the settings - completely bypassed. Not surprising really, given I doubt it analyses and blocks every executable (or DLL) file.

by aigle 27/7/2010, 06:59

Thanks. Sad to see that products claiming for zero day protection fail miserably whenever a REAL real zero day exploit comes in wild.

by arran 27/7/2010, 10:44

I'm not surprised either that threat fire failed. behavior blockers such as threat fire only block certain behaviors that their vendor thinks should be blocked, this is why I don't believe in behavior blockers where as with a hips you can configure it to block almost anything.

by burebista 27/7/2010, 13:54

ssj can you test this tool if it's effective against lnk exploit?
Thanks.

by **ssj100** 27/7/2010, 16:04

burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.

Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.

by burebista 27/7/2010, 16:07

Strange, I have a guy in our forums who told me that it blocks Stuxnet. Sad

by **ssj100** 27/7/2010, 16:29

G Data has also released its own specific protection mechanism:

http://www.gdatasoftware.co.uk/about-g-data/press-centre/news/news-details/article/1723-g-data-fights-back-windows-sec.html

Here are the results:

G Data LNK Checker:
A: BLOCKED
B: BYPASSED
To be fair, G Data writes:

A double-click on a file that is marked as dangerous still lies in the user’s responsibility

And here's some information as you install the program:
Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 3 20665502

This indeed is true with the POC exploit as shown:
Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 3 83522621

Here are the results for the Sophos tool:
Sophos Windows Shortcut Exploit Protection Tool 1.0:
A: BYPASSED
B: BYPASSED
As I wrote before, the POC exploit appears to go right through it.

by Sadeghi85 27/7/2010, 16:35

ssj100 wrote:
burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.

Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 3 Sophos-lnkq4yl

by **ssj100** 27/7/2010, 16:38

Sadeghi85 wrote:
ssj100 wrote:
burebista wrote:ssj can you test this tool if it's effective against lnk exploit?
Thanks.

Doesn't seem to do anything against the POC. Bypassed on both accounts. Would be good if Sophos could explain this.

Is that your own test, and did you test it on Windows XP?

by Sadeghi85 27/7/2010, 16:40

7 32bit

Prevents both methods.

by **ssj100** 27/7/2010, 16:42

Sadeghi85 wrote:7 32bit

Prevents both methods.

Thanks for the information. However, this thread (mainly) discusses the exploit on Windows XP. I tested the Sophos program on a freshly installed Windows XP, SP3, 32-bit. It appeared to fail miserably.

by Sadeghi85 27/7/2010, 16:55

More tests show it doesn't protect hard disk drives.

ssj100 wrote:

Thanks for the information. However, this thread (mainly) discusses the exploit on Windows XP.

Why? Almost all windows versions are affected by this.

by burebista 27/7/2010, 16:56

ssj100 wrote:It appeared to fail miserably.

Yep, here too. Sad

But a nice surprise from CIS. Very Happy

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 3 2epse4w

by **ssj100** 27/7/2010, 17:08

Sadeghi85 wrote:Why? Almost all windows versions are affected by this.

Sorry I must have given the wrong message. I guess I was just saying that I forgot to re-specify the Windows version I tested it with (hence why we appeared to get conflicting results). From now on, it might be a good idea to do that, to avoid confusion. Cheers mate.

by **ssj100** 27/7/2010, 17:09

burebista wrote:
ssj100 wrote:It appeared to fail miserably.
Yep, here too.

That's with Windows XP right?

by Sadeghi85 27/7/2010, 17:16

Can you test it with a flash stick SSJ?

Open suckme.lnk_ with notepad++, change c: to the drive letter assigned to the stick, copy both files to it.

by **ssj100** 27/7/2010, 17:19

Sadeghi85 wrote:Can you test it with a flash stick SSJ?

Open suckme.lnk_ with notepad++, change c: to the drive letter assigned to the stick, copy both files to it.

That might have to wait - my default VM's all have USB disabled (since I never use them in VM's).

by burebista 27/7/2010, 17:21

ssj100 wrote:That's with Windows XP right?

Yep, XP x32 SP3 all updates. It's my machine at work, I'm bored now so I'm doing some tests. Very Happy

by **ssj100** 27/7/2010, 17:22

burebista wrote:
ssj100 wrote:That's with Windows XP right?
Yep, XP x32 SP3 all updates. It's my machine at work, I'm bored now so I'm doing some tests.

Join the club haha.

by **Ruhe** 27/7/2010, 21:31

Anti-virus vendors offer free LNK protection

(G Data, Sophos)

by Sponsored content