Vulnerability in Windows Shell Could Allow Remote Code Execution

Page 4 of 5 Previous  1, 2, 3, 4, 5  Next

View previous topic View next topic Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 28/7/2010, 02:26

Just thought I'd share some (dodgy?) marketing tactics by Prevx in relation to this exploit:
http://www.prevx.com/blog/152/Isolated-first-worm-using-LNK-vulnerability.html

I post in the comments section as shown:


On scrolling down further, no reply has been issued to my question from "Marco Giuliani" (aka "EraserHW"). In fact, for the average person, on following the dialogue, it can be easily interpreted that Prevx does block all variants of this malware "heuristically" on day zero (which would make it a miracle behaviour blocker).

However, as EraserHW admits here, this is not true:
http://www.wilderssecurity.com/showpost.php?p=1718559&postcount=197

...heuristically try to detect the malicious file (i.e. the linked file is loaded from removable device and/or network), but this will leave some vulnerability if the LNK is located on hard drive

He then goes on to post about how he's developed his own tool to help mitigate this exploit. Anyway, I guess we might be seeing a third tool in no time (following the ones from Sophos, G Data).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by languy99 on 28/7/2010, 02:29

I think the ultimate fix will come from Microsoft, I think they are having problems coming up with a fix that will work and not break windows at the same time.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader on 28/7/2010, 04:29


DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 28/7/2010, 05:14

DarthTrader wrote:How about this tool:
http://code.google.com/p/linkiconshim/

A: BLOCKED
B: BYPASSED
Same result (and concept) as the G Data LNK Checker. Here's a screenshot of the "warning" icon:

I must say, the icon picture has got better resolution than the G Data one haha.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by fsr on 29/7/2010, 19:23

Maybe you are also interested in this Erik Loman post

For those who have not yet noticed, Windows currently suffers from a major Windows Shell vulnerability which affects all Windows versions (including 64-bit).

Already 5 different malware families (Stuxnet, Chymine, Vobfus, Sality and Zeus) are exploiting the vulnerability.

The vulnerability is in the handling of loading icons from Windows shortcuts. Special shortcuts specify that their icon is located in a separate DLL. The vulnerability in the Windows Shell (shell32.dll) loads this DLL with EXECUTE rights, resulting in (potentially malicious) code being run when the icon of the shortcut is evaluated.

The SurfRight LNK Exploit Protection Shell Extension prevents these DLLs from being loaded with EXECUTE permissions. Instead it loads the DLL with only READ permissions. This results in that the icon is still loaded but the exploit is not triggered.

Solutions from other vendors either work on non-local disks only or block some legitimate shortcuts (like shortcuts to VPN connections). Our solution doesn't suffer from those drawbacks.

In 2006, Hitman Pro version 2 offered WMF-exploit protection before Microsoft released its patch.

Again, due to the scale of the vulnerability and until Microsoft offers a proper patch, Hitman Pro 3.5.6 build 108 (or newer) offers the user to install the LNK Exploit Protection Shell Extension.

We have made a video to illustrate the protection:
-http://www.youtube.com/watch?v=1gbJ1m2ac1E-

A beta (32-bit only) can be downloaded from here: http://dl.surfright.nl/HitmanPro35beta.exe

Please let me know what you think and if you find any issues.

http://www.wilderssecurity.com/showpost.php?p=1719630&postcount=1928

fsr
New Member
New Member

Posts : 5
Join date : 2010-07-29

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 30/7/2010, 05:15

Not sure what to make of the Hitman Pro exploit protection tool against this POC:

A: BLOCKED?

B: BYPASSED
I'd assume that given the debugger failed to display what the DLL intended, this would be a block for Test A (although what is displayed is intriguing). However, like all previous protection tools, it fails Test B.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 30/7/2010, 11:27

Oh, and "CloneRanger" (I'm pretty sure you read this thread, as I see you directly and indirectly referencing it from time to time on Wilders), I'm going to reply here from now on, instead of Didier Stevens' blog - comments don't seem to be going through anymore:
http://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-with-ariad/

You write:
@ssj100

I see why you’re hung up over the rundll32.exe thingy !

I’m more concerned that UNLESS dll.dll is FIRST copied to C:\ NEITHER A or B test exploit works.

My reply was along the lines of:
This is true for the POC, but you wouldn't need to FIRST copy anything on to a USB device. If you plugged in an infected USB device that already had the infection (that is, already had something like "dll.dll" on it), simply browsing the USB contents would potentially destroy your computer. And blocking "rundll32.exe" would do absolutely nothing.

Regardless, the equivalent of "dll.dll" can potentially be downloaded and written fairly easily into C:\ (or wherever) by a malicious process.

You also wrote the following at one stage:
The best way i've found to stop this dead, is to have run32.dll set to prompt

This is not the best way at all, and in fact does absolutely nothing against the original exploit method (Test A).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by fsr on 30/7/2010, 17:22

Thank you for your time, dunno about Hitman Pro but POC seems acurate. Hope they fix this soon, this is quite confusing.



Avira released updated heuristics to detect malicious .lnk files. They are detected as EXP/CVE-2010-2568.A and EXP/CVE-2010-2568.B, respectively. Avira antimalware products thus protect from this threat without needing special virus definition file updates for every new .lnk-exploit.

http://techblog.avira.com/2010/07/20/apply-workaround-for-windows-zero-day-flaw/en/

fsr
New Member
New Member

Posts : 5
Join date : 2010-07-29

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 on 30/7/2010, 18:00

After installing Hitman Pro I get this if I double click the lnk file:


Interesting...

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 on 30/7/2010, 18:49

The previous snapshot was taken in Standard account + SRP (Test B), this one is for the Admin account(Test A):


Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Tranquility on 31/7/2010, 00:15

The patch from Microsoft comes on Monday.

Tranquility
Member
Member

Posts : 18
Join date : 2010-07-23

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 31/7/2010, 05:55

Tranquility wrote:The patch from Microsoft comes on Monday.

Source? Sounds like good work from Microsoft anyway - releasing updates ahead of schedule, which is what we'd expect with this type of vulnerability.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 31/7/2010, 08:15


Thanks, that was what I was after.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Ruhe on 31/7/2010, 19:25

avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by languy99 on 2/8/2010, 23:31

patch is out right now, everyone should update.
avatar
languy99
Valued Member
Valued Member

Posts : 54
Join date : 2010-07-20

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 4/8/2010, 12:25

Just a note that I couldn't find a way to configure Faronics Anti-Executable version 3 to block Test A of this exploit. This is bizarre, considering version 2 was easily configured to block it. Someone might want to tell Faronics about this, particularly if you're personally using version 3.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader on 4/8/2010, 16:30

Warning from Siemens:
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&objid=43876783&caller=view

Product Information dated August 03, 2010:

Important note on the Microsoft Patch

The Microsoft Patch just prevents that the trojan is installed automatically on the system. If a user with admin-rights (Microsoft Patch is installed) opens an infected LNK-file by mouse click, the computer will be infected - if no virus scanner has been installed. In order to avoid such an infection it is strongly recommended that users only come with power user rights. Power user don´t have the necessary rights in order to start code from another drive. Additional security gives the use of an actual virus scanner.

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 4/8/2010, 16:38

Thanks DarthTrader. Presumably this is infection via "Method B":
http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303

B: "rundll32.exe" method (manually executing the shortcut)

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader on 4/8/2010, 16:50

I suppose so. Too bad I only have XP Home so no SRP. Power user looks like a good option.

I wonder if the old Comodo Memory Firewall would block this exploit?

DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by ssj100 on 4/8/2010, 16:55

DarthTrader wrote:I suppose so. Too bad I only have XP Home so no SRP. Power user looks like a good option.

I wonder if the old Comodo Memory Firewall would block this exploit?

DarthTrader

There are numerous ways to block this exploit, even without patching. This is what this thread has been about too right mate? Check out the products that I've noticed specifically released new versions to address this exploit:
http://ssj100.fullsubject.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435

I don't think Comodo Memory Firewall would do anything against this, as it's not a buffer overflow exploit. Furthermore, CIS has Comodo Memory Firewall built into it - CIS failed in default configuration.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader on 4/8/2010, 17:05

ssj100 wrote:There are numerous ways to block this exploit, even without patching. This is what this thread has been about too right mate? Check out the products that I've noticed specifically released new versions to address this exploit:
http://ssj100.fullsubject.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435
SRP is the most elegant and least expensive solution.

ssj100 wrote:I don't think Comodo Memory Firewall would do anything against this, as it's not a buffer overflow exploit. Furthermore, CIS has Comodo Memory Firewall built into it - CIS failed in default configuration.
Good point
DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sadeghi85 on 4/8/2010, 18:54

DarthTrader wrote:Too bad I only have XP Home so no SRP.

DarthTrader

I think you can have SRP via Sully's PGS.

Wilders thread: http://www.wilderssecurity.com/showthread.php?t=244265

Sadeghi85
Member
Member

Posts : 66
Join date : 2010-07-22

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by DarthTrader on 4/8/2010, 19:21

Thank you, Sadeghi85, that looks interesting.
DarthTrader

DarthTrader
Member
Member

Posts : 21
Join date : 2010-07-28

View user profile

Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Guest on 5/8/2010, 04:50

Is Window 2000 vulnerable? I know that is no longer supported but...?

Guest
Guest


Back to top Go down

Re: Vulnerability in Windows Shell Could Allow Remote Code Execution

Post by Sponsored content


Sponsored content


Back to top Go down

Page 4 of 5 Previous  1, 2, 3, 4, 5  Next

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum