ssj100 Security Forums
Would you like to react to this message? Create an account in a few clicks or log in to continue.

Vulnerability in Windows Shell Could Allow Remote Code Execution

+11
DarthTrader
languy99
burebista
aigle
Buster_BSA
arran
Sadeghi85
Zero_One
doskey
Ruhe
ssj100
15 posters

Page 4 of 5 Previous  1, 2, 3, 4, 5  Next

Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 28/7/2010, 02:26

Just thought I'd share some (dodgy?) marketing tactics by Prevx in relation to this exploit:
http://www.prevx.com/blog/152/Isolated-first-worm-using-LNK-vulnerability.html

I post in the comments section as shown:
Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 56659945

On scrolling down further, no reply has been issued to my question from "Marco Giuliani" (aka "EraserHW"). In fact, for the average person, on following the dialogue, it can be easily interpreted that Prevx does block all variants of this malware "heuristically" on day zero (which would make it a miracle behaviour blocker).

However, as EraserHW admits here, this is not true:
http://www.wilderssecurity.com/showpost.php?p=1718559&postcount=197

...heuristically try to detect the malicious file (i.e. the linked file is loaded from removable device and/or network), but this will leave some vulnerability if the LNK is located on hard drive

He then goes on to post about how he's developed his own tool to help mitigate this exploit. Anyway, I guess we might be seeing a third tool in no time (following the ones from Sophos, G Data).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by languy99 28/7/2010, 02:29

I think the ultimate fix will come from Microsoft, I think they are having problems coming up with a fix that will work and not break windows at the same time.
languy99
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader 28/7/2010, 04:29


DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 28/7/2010, 05:14

DarthTrader wrote:How about this tool:
http://code.google.com/p/linkiconshim/

A: BLOCKED
B: BYPASSED
Same result (and concept) as the G Data LNK Checker. Here's a screenshot of the "warning" icon:
Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 40411160
I must say, the icon picture has got better resolution than the G Data one haha.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by fsr 29/7/2010, 19:23

Maybe you are also interested in this Erik Loman post

For those who have not yet noticed, Windows currently suffers from a major Windows Shell vulnerability which affects all Windows versions (including 64-bit).

Already 5 different malware families (Stuxnet, Chymine, Vobfus, Sality and Zeus) are exploiting the vulnerability.

The vulnerability is in the handling of loading icons from Windows shortcuts. Special shortcuts specify that their icon is located in a separate DLL. The vulnerability in the Windows Shell (shell32.dll) loads this DLL with EXECUTE rights, resulting in (potentially malicious) code being run when the icon of the shortcut is evaluated.

The SurfRight LNK Exploit Protection Shell Extension prevents these DLLs from being loaded with EXECUTE permissions. Instead it loads the DLL with only READ permissions. This results in that the icon is still loaded but the exploit is not triggered.

Solutions from other vendors either work on non-local disks only or block some legitimate shortcuts (like shortcuts to VPN connections). Our solution doesn't suffer from those drawbacks.

In 2006, Hitman Pro version 2 offered WMF-exploit protection before Microsoft released its patch.

Again, due to the scale of the vulnerability and until Microsoft offers a proper patch, Hitman Pro 3.5.6 build 108 (or newer) offers the user to install the LNK Exploit Protection Shell Extension.

We have made a video to illustrate the protection:
-https://www.youtube.com/watch?v=1gbJ1m2ac1E-

A beta (32-bit only) can be downloaded from here: http://dl.surfright.nl/HitmanPro35beta.exe

Please let me know what you think and if you find any issues.

http://www.wilderssecurity.com/showpost.php?p=1719630&postcount=1928

fsr
New Member
New Member

Posts : 5
Join date : 2010-07-29

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 30/7/2010, 05:15

Not sure what to make of the Hitman Pro exploit protection tool against this POC:

A: BLOCKED?
Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 58089343
B: BYPASSED
I'd assume that given the debugger failed to display what the DLL intended, this would be a block for Test A (although what is displayed is intriguing). However, like all previous protection tools, it fails Test B.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 30/7/2010, 11:27

Oh, and "CloneRanger" (I'm pretty sure you read this thread, as I see you directly and indirectly referencing it from time to time on Wilders), I'm going to reply here from now on, instead of Didier Stevens' blog - comments don't seem to be going through anymore:
http://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-with-ariad/

You write:
@ssj100

I see why youā€™re hung up over the rundll32.exe thingy !

Iā€™m more concerned that UNLESS dll.dll is FIRST copied to C:\ NEITHER A or B test exploit works.

My reply was along the lines of:
This is true for the POC, but you wouldn't need to FIRST copy anything on to a USB device. If you plugged in an infected USB device that already had the infection (that is, already had something like "dll.dll" on it), simply browsing the USB contents would potentially destroy your computer. And blocking "rundll32.exe" would do absolutely nothing.

Regardless, the equivalent of "dll.dll" can potentially be downloaded and written fairly easily into C:\ (or wherever) by a malicious process.

You also wrote the following at one stage:
The best way i've found to stop this dead, is to have run32.dll set to prompt

This is not the best way at all, and in fact does absolutely nothing against the original exploit method (Test A).
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by fsr 30/7/2010, 17:22

Thank you for your time, dunno about Hitman Pro but POC seems acurate. Hope they fix this soon, this is quite confusing.

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Dia0_3

Avira released updated heuristics to detect malicious .lnk files. They are detected as EXP/CVE-2010-2568.A and EXP/CVE-2010-2568.B, respectively. Avira antimalware products thus protect from this threat without needing special virus definition file updates for every new .lnk-exploit.

http://techblog.avira.com/2010/07/20/apply-workaround-for-windows-zero-day-flaw/en/

fsr
New Member
New Member

Posts : 5
Join date : 2010-07-29

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 30/7/2010, 18:00

After installing Hitman Pro I get this if I double click the lnk file:
Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Hitman-lnkvfjo

Interesting...

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 30/7/2010, 18:49

The previous snapshot was taken in Standard account + SRP (Test B), this one is for the Admin account(Test A):

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Hitman-lnks42c

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Tranquility 31/7/2010, 00:15

The patch from Microsoft comes on Monday.

Tranquility
Member
Member

Posts : 18
Join date : 2010-07-23

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 31/7/2010, 05:55

Tranquility wrote:The patch from Microsoft comes on Monday.

Source? Sounds like good work from Microsoft anyway - releasing updates ahead of schedule, which is what we'd expect with this type of vulnerability.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Tranquility 31/7/2010, 08:09


Tranquility
Member
Member

Posts : 18
Join date : 2010-07-23

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 31/7/2010, 08:15


Thanks, that was what I was after.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Ruhe 31/7/2010, 19:25

Ruhe
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by languy99 2/8/2010, 23:31

patch is out right now, everyone should update.
languy99
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 4/8/2010, 12:25

Just a note that I couldn't find a way to configure Faronics Anti-Executable version 3 to block Test A of this exploit. This is bizarre, considering version 2 was easily configured to block it. Someone might want to tell Faronics about this, particularly if you're personally using version 3.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader 4/8/2010, 16:30

Warning from Siemens:
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view

Product Information dated August 03, 2010:

Important note on the Microsoft Patch

The Microsoft Patch just prevents that the trojan is installed automatically on the system. If a user with admin-rights (Microsoft Patch is installed) opens an infected LNK-file by mouse click, the computer will be infected - if no virus scanner has been installed. In order to avoid such an infection it is strongly recommended that users only come with power user rights. Power user donĀ“t have the necessary rights in order to start code from another drive. Additional security gives the use of an actual virus scanner.

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 4/8/2010, 16:38

Thanks DarthTrader. Presumably this is infection via "Method B":
https://ssj100.forumotion.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303

B: "rundll32.exe" method (manually executing the shortcut)
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader 4/8/2010, 16:50

I suppose so. Too bad I only have XP Home so no SRP. Power user looks like a good option.

I wonder if the old Comodo Memory Firewall would block this exploit?

DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 4/8/2010, 16:55

DarthTrader wrote:I suppose so. Too bad I only have XP Home so no SRP. Power user looks like a good option.

I wonder if the old Comodo Memory Firewall would block this exploit?

DarthTrader

There are numerous ways to block this exploit, even without patching. This is what this thread has been about too right mate? Check out the products that I've noticed specifically released new versions to address this exploit:
https://ssj100.forumotion.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435

I don't think Comodo Memory Firewall would do anything against this, as it's not a buffer overflow exploit. Furthermore, CIS has Comodo Memory Firewall built into it - CIS failed in default configuration.
ssj100
ssj100
Administrator
Administrator

Posts : 1390
Join date : 2010-04-14

https://ssj100.forumotion.com

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader 4/8/2010, 17:05

ssj100 wrote:There are numerous ways to block this exploit, even without patching. This is what this thread has been about too right mate? Check out the products that I've noticed specifically released new versions to address this exploit:
https://ssj100.forumotion.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435
SRP is the most elegant and least expensive solution.

ssj100 wrote:I don't think Comodo Memory Firewall would do anything against this, as it's not a buffer overflow exploit. Furthermore, CIS has Comodo Memory Firewall built into it - CIS failed in default configuration.
Good point
DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 4/8/2010, 18:54

DarthTrader wrote:Too bad I only have XP Home so no SRP.

DarthTrader

I think you can have SRP via Sully's PGS.

Wilders thread: http://www.wilderssecurity.com/showthread.php?t=244265

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader 4/8/2010, 19:21

Thank you, Sadeghi85, that looks interesting.
DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Guest 5/8/2010, 04:50

Is Window 2000 vulnerable? I know that is no longer supported but...?

Guest
Guest


Back to top Go down

Vulnerability in Windows Shell Could Allow Remote Code Execution - Page 4 Empty Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sponsored content


Sponsored content


Back to top Go down

Page 4 of 5 Previous  1, 2, 3, 4, 5  Next

Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum