Page 3 of 3 FirstFirst 123
Results 21 to 28 of 28

Thread: Windows LNK Vulnerability.

  1. #21
    HYBR|D
    Guest
    ugh since when did this .lnk start needing an .exe ?

  2. #22
    AOs Resident Troll
    Join Date
    Nov 2003
    Posts
    3,152
    Most attacks first use an application or OS vulnerability to gain access to the machine....then upload the exe and\or other crap....thats my understanding anyway.

    I have seen alot of infections lately where machines are becoming infected through the browsers because of plugins....acrobat reader and flash and all the other shite.....

    MLF
    How people treat you is their karma- how you react is yours-Wayne Dyer

  3. #23
    HYBR|D
    Guest
    Agree somewhat, but from the "Poc's" i've seen played with over the time of this thread it's just been via .js etc

    the person visits the site with the <script> </ script> tags and the site then places a "Desktop Shortcut" ie somesite.Lnk onto the desktop. The victim then double clicks loads up the browser and then .js throws the malware onto the machine once the script has run behind the scene's.

    any1 got an example of a malformed .Lnk pulling an .exe once loaded??? I would be very keen to take a look.

    sorry if i'm making little or no sense, had a few to drink and only planed to reply to an e-mail but spotted a new reply and figured heeey why not.

  4. #24
    Senior Member SnugglesTheBear's Avatar
    Join Date
    Jun 2010
    Posts
    133
    Quote Originally Posted by HYBR|D View Post
    Agree somewhat, but from the "Poc's" i've seen played with over the time of this thread it's just been via .js etc

    the person visits the site with the <script> </ script> tags and the site then places a "Desktop Shortcut" ie somesite.Lnk onto the desktop. The victim then double clicks loads up the browser and then .js throws the malware onto the machine once the script has run behind the scene's.
    you don't need to double click the .lnk, simply viewing it executes the code crafted in it.

    Quote Originally Posted by HYBR|D View Post
    any1 got an example of a malformed .Lnk pulling an .exe once loaded??? I would be very keen to take a look.
    I think the stuxnet/Win32, the one that targeted the power plants not the less elegant version that is flying around, uploads a system driver called jmidebs.sys and some .exes. The other clunkier strain probably has some payload of .exes. You can probably find the binaries floating around some security researcher's blog >.<

  5. #25
    Senior Member gore's Avatar
    Join Date
    Oct 2002
    Location
    Michigan
    Posts
    7,177
    Quote Originally Posted by The-Spec View Post
    Its still dog doo-doo when it comes to permissions though. Your allowed to read, execute, and write (but not modify) almost anything you want as nobody. Under a guest account in windows your not given write access to anything at all.
    OK, did you mean this is as in "Over the network" log ins? Or physically sitting? There's a bit of a difference there, because The "Guest Account" on Windows may not allow that, but what I was saying about clicking cancel and it working, you don't really need an account at all. And over a Network, who'd allow log ins for the Nobody account? The reason user Nobody can do anything is that it's how you start all the forks and things for Apache. You need to allow that account to write to SOME things, otherwise it wouldn't work right.

    Also, I think you're missing the fun that can be had by doing this:

    chsh nobody /bin/rm

    "chsh" doesn't actually require that the Shell you change for a user, be an actual Shell. That's how those admins write those little interfaces where everything when a user logs in, shows up in one of those custom menus. They couldn't do that if it HAD to be an actual shell. So technically, you could change the nobody account to have a command for a log in shell, and on top of that.... Between Linux and BSD, I know user nobody doesn't get to have actual log ins on MY machines. And in BSD I think it's by default user nobody can't log in.

    This stuff is just as easy to change as "Turn of Automatic Log in" would be in Windows so it's not like it's any more of an issue. Besides, I've never seen someone actually use the nobody account to try much of anything since it doesn't have access to much. And of course you COULD put that thing in a Sandbox or a Jail.

  6. #26
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188

    Possible Solution?

    Sophos have a free tool that is supposed to temporarily fix this issue?

    http://www.sophos.com/security/topic/shortcut.html

    WARNING:

    I have yet to personally test this, so take the usual precautions

  7. #27
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    Quote Originally Posted by nihil View Post
    Sophos have a free tool that is supposed to temporarily fix this issue?

    http://www.sophos.com/security/topic/shortcut.html

    WARNING:

    I have yet to personally test this, so take the usual precautions
    From the Internet Storm Center:

    Update 1: This tool currently only protects against LNK files and does not protect against PIF based exploits. It also does not protect against LNK files or targets stored on the local disk. Thanks to ISC reader Gerrit for the additional information.
    Cheers
    DjM

  8. #28
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    Location
    SW MO
    Posts
    1,187
    Looks like MS is issuing an out of band patch. Though they aren't saying specifically what vulnerability it addresses.

    http://threatpost.com/en_us/blogs/mi...ws-flaw-073110

    Microsoft will issue an out-of-band patch on Monday for a critical vulnerability in all of the current versions of Windows. The company didn't identify which flaw it will be patching, but the description of the vulnerability is a close match to the LNK flaw that attackers have been exploiting for several weeks now, most notably with the Stuxnet Malware.
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"

    -HST

Similar Threads

  1. Whats a good stable OS?
    By s3nate in forum Operating Systems
    Replies: 25
    Last Post: July 20th, 2004, 10:32 AM
  2. Usefull Windows XP, 2k, NT, and 9x tips and tweaks
    By Cybr1d in forum Miscellaneous Security Discussions
    Replies: 11
    Last Post: June 10th, 2004, 12:09 AM
  3. Windows Tweaks II
    By DeadAddict in forum Other Tutorials Forum
    Replies: 3
    Last Post: November 18th, 2003, 01:20 PM
  4. Operating System Selection
    By TheFiend in forum Miscellaneous Security Discussions
    Replies: 30
    Last Post: June 14th, 2003, 11:08 PM
  5. MS 1st critical update of 2003
    By qwerty_smith in forum Microsoft Security Discussions
    Replies: 1
    Last Post: February 5th, 2003, 09:41 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •