Executive Summary

Summary
Title Microsoft Windows automatically executes code specified in shortcut files
Informations
Name VU#824672 First vendor Publication 2017-08-03
Vendor VU-CERT Last vendor Modification 2017-08-09
Severity (Vendor) N/A Revision M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#824672

Microsoft Windows automatically executes code specified in shortcut files

Original Release date: 03 Aug 2017 | Last revised: 09 Aug 2017

Overview

Microsoft Windows automatically executes code specified in shortcut (LNK) files.

Description

Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. Clicking on a LNK or file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to calc.exe will launch calc.exe, and clicking a shortcut to readme.txt will open readme.txt with the associated application for handling text files.

Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well.

The origin of this vulnerability is outlined in VU#940193 (CVE-2010-2568). The fix for CVE-2010-2568 and the subsequent fix for CVE-2015-0096 are both insufficient in that they not take into account LNK files that use the SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location of a folder. Such files are able to bypass the whitelisting first implemented in the fix for CVE-2010-2568.

Exploit code for this vulnerability is publicly available.

Impact

By convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device.

Solution

Apply an update

This issue is addressed in the Microsoft Update for CVE-2017-8464.

Block outgoing SMB traffic

Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this and other vulnerabilities.

Disable WebDAV

Even if outgoing SMB traffic is disabled, Windows clients can still connect to network shares using the WebDAV protocol, which uses HTTP as a transport. WebDAV can be disabled at various layers, depending on the requirements of your organization:

    At the client

    To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. Note that this may interfere with the ability to access features that utilize WebDAV, such as some aspects of Microsoft SharePoint.

    On the network

    WebDAV can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP. See Blocking WebDAV methods for an example of how to accomplish this. Check with your firewall vendor for more details.

Vendor Information (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-03 Aug 2017
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

GroupScoreVector
Base7.5AV:N/AC:L/Au:N/C:P/I:P/A:P
Temporal6.2E:F/RL:OF/RC:C
Environmental6.2CDP:ND/TD:H/CR:ND/IR:ND/AR:ND

References

  • https://www.kb.cert.org/vuls/id/940193
  • https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
  • https://msdn.microsoft.com/en-us/library/windows/desktop/dd408161(v=vs.85).aspx
  • https://packetsneverlie.blogspot.com/2010/09/blocking-webdav-methods.html

Credit

This document was written by Will Dormann.

Other Information

  • CVE IDs:CVE-2017-8464
  • Date Public:13 Jun 2017
  • Date First Published:03 Aug 2017
  • Date Last Updated:09 Aug 2017
  • Document Revision:18

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Original Source

Url : http://www.kb.cert.org/vuls/id/824672

CWE : Common Weakness Enumeration

% Id Name
50 % CWE-426 Untrusted Search Path
50 % CWE-20 Improper Input Validation

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11564
 
Oval ID: oval:org.mitre.oval:def:11564
Title: Windows Shell Vulnerability
Description: Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.
Family: windows Class: vulnerability
Reference(s): CVE-2010-2568
Version: 9
Platform(s): Microsoft Windows XP
Microsoft Windows Server 2003
Microsoft Windows Server 2008
Microsoft Windows Server 2008 R2
Microsoft Windows Vista
Microsoft Windows 7
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28609
 
Oval ID: oval:org.mitre.oval:def:28609
Title: DLL planting remote code execution vulnerability - CVE-2015-0096 (MS15-020)
Description: Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2015-0096
Version: 3
Platform(s): Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:28624
 
Oval ID: oval:org.mitre.oval:def:28624
Title: DEPRECATED: DLL planting remote code execution vulnerability - CVE-2015-0096 (MS15-020)
Description: Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
Family: windows Class: vulnerability
Reference(s): CVE-2015-0096
Version: 4
Platform(s): Microsoft Windows Server 2003
Microsoft Windows Vista
Microsoft Windows Server 2008
Microsoft Windows 7
Microsoft Windows Server 2008 R2
Microsoft Windows 8
Microsoft Windows 8.1
Microsoft Windows Server 2012
Microsoft Windows Server 2012 R2
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Os 1
Os 1
Os 1
Os 1
Os 2
Os 2
Os 1
Os 1
Os 1
Os 1
Os 2
Os 14
Os 2
Os 1
Os 4
Os 2

SAINT Exploits

Description Link
Windows Shell LNK file CONTROL item command execution More info here

OpenVAS Exploits

Date Description
2010-08-04 Name : Microsoft Windows Shell Remote Code Execution Vulnerability (2286198)
File : nvt/secpod_ms10-046.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
66387 Microsoft Windows Shell LNK File Parsing Arbitrary Command Execution

Windows contains a flaw that may allow an attacker to execute arbitrary code. The issue is triggered by a specially crafted .LNK or .PIF shortcut file which contains an icon resource that points to a malicious DLL file.

Information Assurance Vulnerability Management (IAVM)

Date Description
2015-03-12 IAVM : 2015-A-0053 - Multiple Vulnerabilities in Microsoft Windows (MS15-020)
Severity : Category II - VMSKEY : V0059001

Snort® IPS/IDS

Date Description
2015-07-13 Win.Trojan.Fanny outbound connection
RuleID : 34857 - Revision : 2 - Type : MALWARE-CNC
2014-01-10 DNS request for known malware domain level4-co1-as30912.su
RuleID : 28067 - Revision : 2 - Type : BLACKLIST
2014-01-10 DNS request for known malware domain level4-co2-as30938.su
RuleID : 28066 - Revision : 2 - Type : BLACKLIST
2014-01-10 DNS request for known malware domain x2v9.com
RuleID : 28065 - Revision : 2 - Type : BLACKLIST
2014-01-10 DNS request for known malware domain intelbackupsrv.su
RuleID : 28064 - Revision : 2 - Type : BLACKLIST
2014-01-10 DNS request for known malware domain intelsystems.su
RuleID : 28063 - Revision : 2 - Type : BLACKLIST
2014-01-10 DNS request for known malware domain intelsecurity.su
RuleID : 28062 - Revision : 2 - Type : BLACKLIST
2014-01-10 DNS request for known malware domain intelcore.su
RuleID : 28061 - Revision : 2 - Type : BLACKLIST
2014-01-10 Microsoft LNK shortcut arbitrary dll load attempt
RuleID : 24500 - Revision : 6 - Type : FILE-OTHER
2014-01-10 Microsoft LNK shortcut download attempt
RuleID : 19291 - Revision : 4 - Type : NETBIOS
2014-01-10 Microsoft LNK shortcut arbitary dll load attempt
RuleID : 19290 - Revision : 9 - Type : FILE-OTHER
2014-01-10 Microsoft Windows PIF shortcut file download request
RuleID : 17043 - Revision : 9 - Type : FILE-IDENTIFY
2014-01-10 Microsoft LNK shortcut arbitrary dll load attempt
RuleID : 17042 - Revision : 17 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date Description
2017-06-14 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4025685_vista.nasl - Type : ACT_GATHER_INFO
2017-06-14 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_win2008.nasl - Type : ACT_GATHER_INFO
2017-06-14 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_windows8.nasl - Type : ACT_GATHER_INFO
2017-06-13 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4022714.nasl - Type : ACT_GATHER_INFO
2017-06-13 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4022715.nasl - Type : ACT_GATHER_INFO
2017-06-13 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4022719.nasl - Type : ACT_GATHER_INFO
2017-06-13 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4022724.nasl - Type : ACT_GATHER_INFO
2017-06-13 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4022725.nasl - Type : ACT_GATHER_INFO
2017-06-13 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4022726.nasl - Type : ACT_GATHER_INFO
2017-06-13 Name : The remote Windows host is affected by multiple vulnerabilities.
File : smb_nt_ms17_jun_4022727.nasl - Type : ACT_GATHER_INFO
2015-03-10 Name : The remote Windows host is affected by multiple remote code execution vulnera...
File : smb_nt_ms15-020.nasl - Type : ACT_GATHER_INFO
2010-08-02 Name : The remote windows host is affected by a remote code execution vulnerability.
File : smb_nt_ms10-046.nasl - Type : ACT_GATHER_INFO
2010-07-18 Name : It may be possible to execute arbitrary code on the remote Windows host using...
File : smb_kb_2286198.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
Date Informations
2017-08-09 17:22:22
  • Multiple Updates
2017-08-04 21:22:56
  • Multiple Updates
2017-08-04 00:21:24
  • First insertion