Today I tested @Ivanlef0u ‘s .LNK PoC with my latest Ariad tool.
I adapted the PoC to work on a CD-ROM for drive D. When you load the CD-ROM with the PoC (I use an ISO file inside a VM) and take a look at DbgView’s output, you’ll notice that payload gets executed:
With Ariad installed on the machine in its default configuration (just block \autorun.inf), the PoC still works:
But configuring Ariad to block access to executables (this includes .LNK) prevents the PoC from executing:
Access to the .LNK file is denied, and Windows Explorer can’t start the payload.
And configuring Ariad to prevent files to be mapped in memory (this is something done by Windows with executables) also prevents the PoC from executing:
This time, access to the .LNK file is not denied, but dll.dll is prevented from loading into memory, thus again preventing the payload from executing.
You can use Ariad if you want to mitigate attacks with these shortcut links until Microsoft releases a patch. As it is expected that Microsoft will not release a patch for Windows XP SP2, Ariad can offer permanent mitigation.
Be sure to read Ariad‘s documentation before using it.
View full post on Didier Stevens
Related Posts
- Mitigating .LNK Exploitation With SRP
As I’ve used Software Restriction Policies (SRP) on several occasions in my blogposts, and several people have suggested using SRP to protect against .LNK exploitation as an alternative to Ariad... - Analysis of the CVE-2011-0611 Adobe Flash Player vulnerability exploitation
About a month ago, we blogged about an Adobe Flash Player vulnerability (CVE-2011-0609) that was actively exploited in the wild. That exploit was hidden inside a Microsoft Excel document. Ov... - Tactical Exploitation – Blackhat DC 2011
Val Smith and Colin Ames will be teaching an updated version of Tactical Exploitation Training at Blackhat DC Jan 16-17 See http://www.blackhat.com for more information.
Using a combination of new to... - How to manually check if the ASP.Net application is vulnerable to ASP.Net Padding Exploitation
Before I begin, I would like to say that, the actual reason behind the hue and cry about this vulnerability is the fact that the Microsoft Security Advisory 2416728 quoted that this vulnerability can ... - Exception event that shows signs of the padding oracle exploitation attack
The below post shows the exception event that shows signs of the attack in progress. Also, found some Dynamic IP Restriction module for IIS 7 that can be used to block this attack. Exceptio... - Mitigating the DNSTrojan Threat
A few days ago I’ve published a short analysis of a Trojan dropper which I call DNSTrojan (see New Dropper Uses DNS To Communicate). During this week I’ve tried to mitigate the threat by n... - Stuxnet Before the .lnk File Vulnerability
Code to exploit the zero-day .lnk file vulnerability (BID 43073) used by Stuxnet was added to the threat around March 2010; we know this because the samples we observed before this date did not contai... - Quickpost: Ariad & DLL Preloading
I’m writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL ... - Quickpost: .LNK Template Update
I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell GUIDs:
Quickpost info
View full post on Didier Steven... - Quickpost: 2 .LNK Tools
Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568).
I’m releasing two small tools I developed to help me investigate this vulnerability.
First one...
Posted on 19 July 2010. Tags: .LNK, Ariad, Exploitation, Mitigating
@bonarez I know about win2k, and I believe my driver could run on it, but have not tested yet.
I wish I could use this in production env.. for now no icons in lnk’s
@Didier: btw it’s not just xp sp2 support that stopped, also win2k workstation. Talk about irony: the exploit was found first in malware that was designed to spy on scada aka wincc systems. A siemens implementation that runs mostly on.. you guessed it.
bonarez
[...] Dider Stevens explique sur son blog comment l’outil qu’il a développé (Ariad) permet aussi de se protéger contre cette attaque. [...]
[...] Tutorial: 1. Unzip the files in ‘C: ’. Start a DbgView or paste a Konsole Debug to your Virtual Machine. 2. Rename ’suckme.lnk_’ to ’suckme.lnk’ and let the magic do the rest of shell32.dll. 3. Look at your logs,, can be like this. [...]
@ivan: most users let icon handler with default value.
@didier: nice experiment. keep it run,, bro!
@IvanLef0u Avec plaisir
I’ll test this registry setting after I complete the documentation for Ariad.
Yo,
Thx for testing dude
Btw have you tried the workaround ‘Disable the displaying of icons for shortcuts’ from http://www.microsoft.com/technet/security/advisory/2286198.mspx ? You have to remove the registry entry ‘HKEY_CLASSES_ROOTlnkfileshellexIconHandler’. Guess after this all your icons are not displayed lol …