PROBLEMS WITH WINDOWS SHORTCUTS ============================================================================================== Topic: Problems with Windows Shortcuts Tested With: Windows 98, Windows 2000 Server Author: S.G.Masood (sgmasoodat_private) ============================================================================================== ============================================================================================== DESCRIPTION: There is a problem with the way Windows (tested with Win98 and Win2k Server) handles shortcut (.lnk) files. A specially crafted shortcut will crash explorer.exe/shell32.dll. A shortcut, say, A.lnk is created and it is made to point to another shortcut B.lnk. Then, B.lnk is made to point to A.lnk. Now when the folder containing these two files is viewed or accessed in any way, explorer crashes. (Note that Windows won't allow the creation of .lnk files in the above format. A hex editor can be used to change the location of the .lnk files. A zip file containing examples for Win98 has been attached) As an effect, a malicious user/program can hide malware in a folder containing these .lnk files to prevent users/programs from investigating the contents of the folder. This vulnerability is most damaging when the shortcuts are placed on the desktop. This could prevent many clueless users from using their computer. ============================================================================================== VENDOR RESPONSE: Microsoft was contacted and it responded with: "...While this issue is certainly a bug, we believe that it doesn't constitute a security vulnerability. That is, it wouldn't enable a malicious user to compromise data or usurp control over the user's machine..." ============================================================================================== SECURITY IMPLICATIONS OF THIS "BUG": 1. Under *most* circumstances, Explorer.exe will restart when it crashes but in some cases, the machine hangs and has to be restarted. 2. When Explorer.exe crashes and restarts, it takes all iexplore.exe instances with it, thereby crashing them all. This scenario may not seem worthy of attention at first glance but it may be damaging in some cases. 3. The folder that contains these shortcuts may house malware of other kinds. This may be exploited to hide malware and stop users (and programs ?) from investigating the contents of the folder. A few users may still go ahead looking for other ways to investigate it but, other, not-so-savvy, users will just leave it alone thereby allowing the spread of new types of *LAME* malware (the naivete of most users is apparent from the wildfire type success of email attachment viruses even after infinite warnings). Similar vulnerabilities, harmless looking at first glance, were used previously to devastating effect. 4. I believe this case is most serious as a DoS. If the shortcuts or variants are placed on the Desktop, it would keep crashing Explorer in an endless loop and prevent users from using the machine (Oh naivete! Thou art the most abundant quality in us mortals! ;-). Also, this may be combined with other remote file creation vulnerabilities to make it remotely exploitable. ============================================================================================== SOLUTION: No patch is availaible from the vendor. The shortcuts can be safely deleted from the commandline. ============================================================================================== Regards, S.G.Masood __________________________________________________ Do you Yahoo!? Yahoo! Web Hosting - establish your business online http://webhosting.yahoo.com
This archive was generated by hypermail 2b30 : Sat Mar 15 2003 - 11:04:07 PST