9.3 - VU#940193

Executive Summary

Summary
Title	Microsoft Windows automatically executes code specified in shortcut files

Informations
Name	VU#940193	First vendor Publication	2010-07-15
Vendor	VU-CERT	Last vendor Modification	2010-09-09
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score	9.3	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	8.6	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#940193

Microsoft Windows automatically executes code specified in shortcut files

Overview

Microsoft Windows automatically executes code specified in shortcut (LNK and PIF) files.

I. Description

Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. A PIF file is a shortcut to a MS-DOS application. Clicking on a LNK or PIF file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to calc.exe will launch calc.exe, and clicking a shortcut to readme.txt will open readme.txt with the associated application for handling text files.

Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. By default, Microsoft Windows has AutoRun/AutoPlay features enabled. These features can cause Windows to automatically open Windows Explorer when a removable drive, such as a USB thumb drive, is connected. Other applications that display file icons can be used as an attack vector for this vulnerability as well. When used in conjunction with a WebDav resource, Internet Explorer can be used as an attack vector for this vulnerability. With the case of Internet Explorer, no user interaction beyond viewing a web page is required to trigger the vulnerability.

This vulnerability is being exploited in the wild to spread malware (stuxnet) that targets control systems. Exploit code for this vulnerability is publicly available.

II. Impact

By convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device. This vulnerability can also be triggered by viewing a web page with Internet Explorer or opening a document with Microsoft Office.

III. Solution

Apply an update

This issue is addressed in Microsoft Security Bulletin MS10-046. Also consider the following workarounds:

Disable the displaying of icons for shortcuts

According to Microsoft Security Advisory 2286198:

Note

See

Microsoft Knowledge Base Article 2286198

to use the automated Microsoft Fix it solution to enable or disable this workaround.

Note

Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe.

Click Start, click Run, type Regedit in the Open box, and then click OK.

Locate and then click the following registry key:

HKEY_CLASSES_ROOTlnkfileshellexIconHandler

Click the File menu and select Export.

In the Export Registry File dialog box, enter LNK_Icon_Backup.reg and click Save.
Note This will create a backup of this registry key in the My Documents folder by default

Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.

Locate and then click the following registry key:

HKEY_CLASSES_ROOTpiffileshellexIconHandler

Click the File menu and select Export.

In the Export Registry File dialog box, enter PIF_Icon_Backup.reg and click Save.
Note This will create a backup of this registry key in the My Documents folder by default.

Select the value (Default) on the right hand window in the Registy Editor. Press Enter to edit the value of the key. Remove the value, so that the value is blank, and press Enter.

Log all users off and on again, or restart the computer.

Note that this mitigation may prevent Windows shortcuts from displaying some icons.

Disable AutoRun

Disabling AutoRun can increase the amount of user interaction that is required to trigger this vulnerability. It will not block the vulnerability, however. Please see Microsoft Support article 967715 for more details. Setting the NoDriveTypeAutoRun registry entry to 0xFF should provide the highest amount of protection.

Use least privilege

Use "least privilege" approach to user accounts. By reducing the privileges of the user accounts, the impact of this and other vulnerabilties may be reduced. More information about this technique is available in the Microsoft TechNet article Applying the Principle of Least Privilege to User Accounts on Windows XP. Note that these concepts still apply to Windows Vista and newer operating systems.

Disable the WebClient service

According to Microsoft Security Advisory 2286198:

Disabling the WebClient service helps protect affected systems from attempts to exploit this vulnerability by blocking the most likely remote attack vector through the Web Distributed Authoring and Versioning (WebDAV) client service. After applying this workaround, it will still be possible for remote attackers who successfully exploited this vulnerability to cause Microsoft Office Outlook to run programs located on the targeted user's computer or the Local Area Network (LAN), but users will be prompted for confirmation before opening arbitrary programs from the Internet.

To disable the WebClient Service, follow these steps:

Click Start, click Run, type Services.msc and then click OK.

Right-click WebClient service and select Properties.

Change the Startup type to Disabled. If the service is running, click Stop.

Click OK and exit the management application.

Block outgoing SMB traffic

Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this vulnerability.

Use a web browser other than Internet Explorer

Internet Explorer is very closely integrated with the Microsoft Windows operating system. Because of this, Internet Explorer can often be used as an attack vector for vulnerabilities in the Microsoft Windows operating system. In this case, Internet Explorer can be used to trigger the vulnerability with no user interaction required beyond visiting a malicious or compromised website. Other browsers appear to require additional user interaction.

Vendor Information

Vendor	Status	Date Notified	Date Updated
Microsoft Corporation	Affected	2010-07-15	2010-08-02

References

http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx
http://www.microsoft.com/technet/security/advisory/2286198.mspx
http://support.microsoft.com/kb/2286198
http://isc.sans.edu/diary.html?storyid=9190
http://www.securityfocus.com/bid/41732
http://secunia.com/advisories/40647/
http://support.microsoft.com/kb/967715
http://www.anti-virus.by/en/tempo.shtml
http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-flaw/
http://www.f-secure.com/weblog/archives/new_rootkit_en.pdf
http://www.f-secure.com/weblog/archives/00001986.html
http://www.f-secure.com/weblog/archives/00001987.html
http://support.automation.siemens.com/WW/view/en/43876783

Credit

This vulnerability was discovered by VirusBlokAda through its exploitation in the wild.

This document was written by Will Dormann.

Other Information

Date Public:	2010-07-10
Date First Published:	2010-07-15
Date Last Updated:	2010-09-09
CERT Advisory:
CVE-ID(s):	CVE-2010-2568
NVD-ID(s):	CVE-2010-2568
US-CERT Technical Alerts:
Metric:	72.90
Document Revision:	82

Original Source

Url : http://www.kb.cert.org/vuls/id/940193

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:11564

Oval ID:	oval:org.mitre.oval:def:11564
Title:	Windows Shell Vulnerability
Description:	Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.
Family:	windows	Class:	vulnerability
Reference(s):	CVE-2010-2568	Version:	9
Platform(s):	Microsoft Windows XP Microsoft Windows Server 2003 Microsoft Windows Server 2008 Microsoft Windows Server 2008 R2 Microsoft Windows Vista Microsoft Windows 7	Product(s):
Definition Synopsis:
IF Microsoft Windows XP (x86) SP3 is installed AND the version of shell32.dll is less than 6.0.2900.6018 OR Vulnerable Microsoft Windows XP x64 SP2, Server 2003 x86/x64/ia64 SP2 IF Microsoft Windows XP x64 Edition SP2 is installed AND Microsoft Windows Server 2003 SP2 (x86) is installed AND Microsoft Windows Server 2003 SP2 (x64) is installed AND Microsoft Windows Server 2003 (ia64) SP2 is installed AND the version of shell32.dll is less than 6.0.3790.4751 OR Vulnerable Microsoft Windows Vista x86/x64 SP1, Server 2008 x86/x64/ia64 IF Microsoft Windows Vista (32-bit) Service Pack 1 is installed AND Microsoft Windows Vista x64 Edition Service Pack 1 is installed AND Microsoft Windows Server 2008 (32-bit) is installed AND Microsoft Windows Server 2008 (64-bit) is installed AND Microsoft Windows Server 2008 (ia-64) is installed AND GDR or LDR Service branch the version of shell32.dll is less than 6.0.6001.18505 OR LDR the version of shell32.dll is greater than or equal to 6.0.6001.22000 AND the version of shell32.dll is less than 6.0.6001.22735 OR Vulnerable Microsoft Windows Vista x86/x64 SP2, Server 2008 x86/x64/ia64 SP2 IF Microsoft Windows Vista (32-bit) Service Pack 2 is installed AND Microsoft Windows Vista x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 (32-bit) Service Pack 2 is installed AND Microsoft Windows Server 2008 x64 Edition Service Pack 2 is installed AND Microsoft Windows Server 2008 Itanium-Based Edition Service Pack 2 is installed AND GDR or LDR Service branch the version of shell32.dll is less than 6.0.6002.18287 OR LDR the version of shell32.dll is greater than or equal to 6.0.6002.22000 AND the version of shell32.dll is less than 6.0.6002.22454 OR Vulnerable Microsoft Windows 7 x86/x64, Windows Server 2008 R2 x64/ia64 IF Microsoft Windows 7 (32-bit) is installed AND Microsoft Windows 7 x64 Edition is installed AND Microsoft Windows Server 2008 R2 x64 Edition is installed AND Microsoft Windows Server 2008 R2 Itanium-Based Edition is installed AND GDR or LDR Service branch the version of shell32.dll is less than 6.1.7600.16644 OR LDR the version of shell32.dll is greater than or equal to 6.1.7600.20000 AND the version of shell32.dll is less than 6.1.7600.20765

CPE : Common Platform Enumeration

Type	Description	Count
Os	Microsoft Windows 7 cpe:2.3:o:microsoft:windows_7:-:::::::*	1
Os	Microsoft Windows Server 2003 cpe:2.3:o:microsoft:windows_server_2003:-:sp2::::::	1
Os	Microsoft Windows Server 2008 cpe:2.3:o:microsoft:windows_server_2008:r2::::::itanium: cpe:2.3:o:microsoft:windows_server_2008:r2::::::x64: cpe:2.3:o:microsoft:windows_server_2008:-:sp2:::::: cpe:2.3:o:microsoft:windows_server_2008:-:-::::::	4
Os	Microsoft Windows Vista cpe:2.3:o:microsoft:windows_vista:-:sp1:::::: cpe:2.3:o:microsoft:windows_vista:-:sp2::::::	2
Os	Microsoft Windows Xp cpe:2.3:o:microsoft:windows_xp:-:sp3:::::: cpe:2.3:o:microsoft:windows_xp:-:sp2:::professional::x64:	2

SAINT Exploits

Description	Link
Windows Shell LNK file CONTROL item command execution	More info here

OpenVAS Exploits

Date	Description
2010-08-04	Name : Microsoft Windows Shell Remote Code Execution Vulnerability (2286198) File : nvt/secpod_ms10-046.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
66387	Microsoft Windows Shell LNK File Parsing Arbitrary Command Execution Windows contains a flaw that may allow an attacker to execute arbitrary code. The issue is triggered by a specially crafted .LNK or .PIF shortcut file which contains an icon resource that points to a malicious DLL file.

Snort® IPS/IDS

Date	Description
2015-07-13	Win.Trojan.Fanny outbound connection RuleID : 34857 - Revision : 2 - Type : MALWARE-CNC
2014-01-10	DNS request for known malware domain level4-co1-as30912.su RuleID : 28067 - Revision : 2 - Type : BLACKLIST
2014-01-10	DNS request for known malware domain level4-co2-as30938.su RuleID : 28066 - Revision : 2 - Type : BLACKLIST
2014-01-10	DNS request for known malware domain x2v9.com RuleID : 28065 - Revision : 2 - Type : BLACKLIST
2014-01-10	DNS request for known malware domain intelbackupsrv.su RuleID : 28064 - Revision : 2 - Type : BLACKLIST
2014-01-10	DNS request for known malware domain intelsystems.su RuleID : 28063 - Revision : 2 - Type : BLACKLIST
2014-01-10	DNS request for known malware domain intelsecurity.su RuleID : 28062 - Revision : 2 - Type : BLACKLIST
2014-01-10	DNS request for known malware domain intelcore.su RuleID : 28061 - Revision : 2 - Type : BLACKLIST
2014-01-10	Microsoft LNK shortcut arbitrary dll load attempt RuleID : 24500 - Revision : 6 - Type : FILE-OTHER
2014-01-10	Microsoft LNK shortcut download attempt RuleID : 19291 - Revision : 4 - Type : NETBIOS
2014-01-10	Microsoft LNK shortcut arbitary dll load attempt RuleID : 19290 - Revision : 9 - Type : FILE-OTHER
2014-01-10	Microsoft Windows PIF shortcut file download request RuleID : 17043 - Revision : 9 - Type : FILE-IDENTIFY
2014-01-10	Microsoft LNK shortcut arbitrary dll load attempt RuleID : 17042 - Revision : 17 - Type : FILE-OTHER

Nessus® Vulnerability Scanner

Date	Description
2010-08-02	Name : The remote windows host is affected by a remote code execution vulnerability. File : smb_nt_ms10-046.nasl - Type : ACT_GATHER_INFO
2010-07-18	Name : It may be possible to execute arbitrary code on the remote Windows host using... File : smb_kb_2286198.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2017-09-19 09:28:24	Multiple Updates
2015-04-10 13:28:17	Multiple Updates
2014-02-17 12:08:17	Multiple Updates
2013-05-11 00:57:29	Multiple Updates

Global Informations

Type	Count
Oval ID(s)	1
CPE ID(s)	10
Saint Exploit(s)	1
osvdb(s)	1
Openvas Exploit(s)	1
Snort® Rule(s)	13
Nessus® Exploit(s)	2

	Related
10	TA10-222A
9.3	VU#824672
9.3	MS10-046
9.3	KB2286198
7.8	CVE-2010-2568
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)