LNK vulnerability POC re-test
2 posters
Page 1 of 1
LNK vulnerability POC re-test
Original thread here:
https://ssj100.forumotion.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303
I'm going to be posting results of updated security software against this POC vulnerability. In all cases that I am aware of so far, there has been specific re-programming for each software to combat this vulnerability. In other words, the software was unable to block it on day zero (in default configuration).
1. Blue Point Security 2010 1.0.35.99:
A: BLOCKED
B: BLOCKED
This time, Blue Point Security successfully blocks the exploit on both accounts:
2. DefenseWall 3.05:
A: BLOCKED
B: BLOCKED
This time, DefenseWall (appears to) successfully block the exploit on both accounts. However, I can't seem to find any evidence of what exactly is blocked when I go through DefenseWall's Events Log (which is a little strange). It also seems like DefenseWall doesn't actually block Test B in the same way other programs do - instead, DefenseWall appears to somehow prevent this specific LNK file from being able to run in the first place (or from being at all functional) - it doesn't appear to block the DLL file loading/running (in fact, I don't think the DLL file even gets a chance to load). I may do some testing later with Malware Defender to see what exactly DefenseWall is doing (of course, this might be fruitless, as Ilya may have implemented a kernel level change/block that Malware Defender will miss).
https://ssj100.forumotion.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303
I'm going to be posting results of updated security software against this POC vulnerability. In all cases that I am aware of so far, there has been specific re-programming for each software to combat this vulnerability. In other words, the software was unable to block it on day zero (in default configuration).
1. Blue Point Security 2010 1.0.35.99:
A: BLOCKED
B: BLOCKED
This time, Blue Point Security successfully blocks the exploit on both accounts:
2. DefenseWall 3.05:
A: BLOCKED
B: BLOCKED
This time, DefenseWall (appears to) successfully block the exploit on both accounts. However, I can't seem to find any evidence of what exactly is blocked when I go through DefenseWall's Events Log (which is a little strange). It also seems like DefenseWall doesn't actually block Test B in the same way other programs do - instead, DefenseWall appears to somehow prevent this specific LNK file from being able to run in the first place (or from being at all functional) - it doesn't appear to block the DLL file loading/running (in fact, I don't think the DLL file even gets a chance to load). I may do some testing later with Malware Defender to see what exactly DefenseWall is doing (of course, this might be fruitless, as Ilya may have implemented a kernel level change/block that Malware Defender will miss).
Re: LNK vulnerability POC re-test
Summary of applications that were able to block it (A + B) already on day zero:
- Faronics Anti-Executable 2
- Sandboxie 3.46 (contained)
- GeSWall 2.9 Professional
- Returnil System Safe 2011 RC
- SRP
- Faronics Anti-Executable 2
- Sandboxie 3.46 (contained)
- GeSWall 2.9 Professional
- Returnil System Safe 2011 RC
- SRP
Ruhe- Valued Member
- Posts : 261
Join date : 2010-04-16
Location : Germany
Similar topics
» ASLR vulnerability and EMET remedy
» Vulnerability in Graphics Rendering Engine
» New critical vulnerability in VLC Media Player
» Vulnerability in TCP/IP Could Allow Remote Code Execution
» BluePoint Security 1.0.35.99 Released, Shortcut Vulnerability Mitigated
» Vulnerability in Graphics Rendering Engine
» New critical vulnerability in VLC Media Player
» Vulnerability in TCP/IP Could Allow Remote Code Execution
» BluePoint Security 1.0.35.99 Released, Shortcut Vulnerability Mitigated
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum