Microsoft Windows .lnk file code execution (LNK_MsWin_Code_Execution)

About this signature or vulnerability

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix):

This event triggers when a Microsoft shortcut file contains a specially crafted ICON section which references a UNC (Universal Naming Convention) path.

These types of files should typically not be seen traversing your network. An exception is when the LNK file is hosted on an internal file server and that LNK file references an ICON that is also hosted on an internal file server.

The nature of these files enables them to automatically access resources which may be outside of your control, thus enabling a remote code execution attack on your systems when the ICON is rendered by Microsoft Windows Explorer when browsing to the remote SMB/CIFS share.


False positives

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix): Not all LNK files containing paths to remote systems result in malicious, remote code execution.

False negatives

IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, IBM Security Host Protection for Desktops, Proventia Network IPS, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Host Protection for Servers (Unix): By default, this event will not trigger when the ICON resource being accessed is local, such as 'C:\filesystem\foo.dll' path. This behavior can be changed however, by enabling the pam.lnk.mswin_code_exec.local.enable tuning parameter.

Default risk level

High risk vulnerability  High

Sensors that have this signature

IBM Security Host Protection for Servers (Windows): 2.1.14.2550, RealSecure Server Sensor: XPU 30.080, Proventia Network MFS: XPU 30.080, Proventia-G 1.1 and earlier: XPU 30.080, Proventia Network IDS: XPU 30.080, IBM Security Host Protection for Desktops: 2550, Proventia Network IPS: XPU 30.080, Virtual Server Protection for Vmware: XPU 30.080, Proventia Server IPS for Linux technology: 30.080, IBM Security Host Protection for Servers (Unix): 2.2.2

Systems affected

Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Windows Vista: SP1, Microsoft Windows Vista: SP1 x64, Microsoft Windows Server 2008: Itanium, Microsoft Windows Server 2008: x32, Microsoft Windows Server 2008: x64, Microsoft Windows XP: SP3, Microsoft Windows Vista: SP2 x64, Microsoft Windows Vista: SP2, Microsoft Windows Server 2008: SP2 x32, Microsoft Windows Server 2008: SP2 x64, Microsoft Windows 7: x64, Microsoft Windows 7: x32, Microsoft Windows Server 2008: R2 x64, Microsoft Windows Server 2008: R2 Itanium, Microsoft Windows Server 2008: SP2 Itanium

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Windows could allow a remote attacker to execute arbitrary code on the system, caused by the improper validation of specific parameters of shortcuts (.lnk or .pif) by the Windows Shell component when displaying the icon of a shortcut file. By persuading a victim to attach a USB drive or CD-ROM with a malicious shortcut file or browse to the root folder of the device using Windows Explorer or a similar file manager, a remote attacker could exploit this vulnerability using a specially-crafted .LNK or .PIF shortcut file to automatically execute specified code with the privileges of the victim.

How to remove this vulnerability

Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.

— OR —

Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.

References

Krebs on Security Web site
Experts Warn of New Windows Shortcut Flaw
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/

Microsoft Web Site
Microsoft Windows
http://www.microsoft.com/windows/default.aspx

Microsoft Security Advisory (2286198)
Vulnerability in Windows Shell Could Allow Remote Code Execution
http://www.microsoft.com/technet/security/advisory/2286198.mspx

Offensive Security Exploit Database [07-18-2010]
Microsoft Windows Automatic LNK Shortcut File Code Execution
http://www.exploit-db.com/exploits/14403/

Microsoft Security Bulletin MS10-046
Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198)
http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx

Microsoft Security Bulletin MS11-006
Vulnerability in Windows Shell Graphics Processing Could Allow Remote Code Execution (2483185)
http://www.microsoft.com/technet/security/bulletin/ms11-006.mspx

Microsoft Security Bulletin MS12-048
Vulnerability in Windows Shell Could Allow Remote Code Execution (2691442)
http://technet.microsoft.com/en-us/security/bulletin/ms12-048

ISS X-Force
Microsoft Windows .lnk file code execution
http://www.iss.net/security_center/static/60422.php

CVE
CVE-2010-2568
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2568