LNK vulnerability POC re-test

View previous topic View next topic Go down

LNK vulnerability POC re-test

Post by ssj100 on 24/7/2010, 03:58

Original thread here:
http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303

I'm going to be posting results of updated security software against this POC vulnerability. In all cases that I am aware of so far, there has been specific re-programming for each software to combat this vulnerability. In other words, the software was unable to block it on day zero (in default configuration).

1. Blue Point Security 2010 1.0.35.99:
A: BLOCKED
B: BLOCKED
This time, Blue Point Security successfully blocks the exploit on both accounts:


2. DefenseWall 3.05:
A: BLOCKED
B: BLOCKED
This time, DefenseWall (appears to) successfully block the exploit on both accounts. However, I can't seem to find any evidence of what exactly is blocked when I go through DefenseWall's Events Log (which is a little strange). It also seems like DefenseWall doesn't actually block Test B in the same way other programs do - instead, DefenseWall appears to somehow prevent this specific LNK file from being able to run in the first place (or from being at all functional) - it doesn't appear to block the DLL file loading/running (in fact, I don't think the DLL file even gets a chance to load). I may do some testing later with Malware Defender to see what exactly DefenseWall is doing (of course, this might be fruitless, as Ilya may have implemented a kernel level change/block that Malware Defender will miss).

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: LNK vulnerability POC re-test

Post by Ruhe on 27/7/2010, 17:22

Summary of applications that were able to block it (A + B) already on day zero:

- Faronics Anti-Executable 2
- Sandboxie 3.46 (contained)
- GeSWall 2.9 Professional
- Returnil System Safe 2011 RC

- SRP
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum