Discussion in 'malware problems & news' started by sergey ulasen, Jul 12, 2010.

Thread Status:
Not open for further replies.
  1. EraserHW

    EraserHW Malware Expert

    I had some free time so I published on my personal blog and on my personal youtube channel a video of the exploit I've built with my own dll

    Last edited by a moderator: Jul 19, 2010
  2. Meriadoc

    Meriadoc Registered Member

    I known Frank is a member, so am I so if he doesn't see this and upload I will.

    Last edited by a moderator: Jul 19, 2010
  3. Rmus

    Rmus Exploit Analyst Raises Threat Level For LNK Vulnerability

    Preempting a Major Issue Due to the LNK Vulnerability - Raising Infocon to Yellow

    Reference to "the issue is not easy to fix until Microsoft issues a patch" is, of course, to the mitigating tweaks recommended by Microsoft in its Advisory.

    Much easier, safer protection measures have already been discussed in this thread.

  4. Dark Star 72

    Dark Star 72 Registered Member

    Some tests here with the POC by our old *friend* :doubt: SSJ100:


    and Ilya's reply to the DefenseWall test

    Notice the result for the newly released Returnil System Safe 2011 RC :thumb:
    Last edited by a moderator: Jul 19, 2010
  5. Rmus

    Rmus Exploit Analyst

    Re: Raises Threat Level For LNK Vulnerability


  6. CloneRanger

    CloneRanger Registered Member

    Quotes from Sans

    Explains maybe why the POC didn't work for me ?

    The POC still didn't work from my desktop ?

    Ahh, could be why ?


    Originally Posted by i_g

    F-secure said this

    So ?


    Sorry to say, even in HD mode i found it hard to view exactly what was happening :( Any chance you could give us a brief description ? TIA

    @Dark Star 72

    Thanks for the links :thumb:

    I didn't know ssj100 had branched out on his own :D

    Good news about Returnil System Safe 2011 RC :thumb:


    Thanks for the updates :thumb:
  7. aigle

    aigle Registered Member

    thanks, very nice testing indeed.
    Just two things i wil mention:
    1. Regarding CIS, it can be configured to intercept it.
    Post no. 125 of this thread.
    2. PE gaurd seems to intercept it. Post no. 108 of this thread.
  8. aigle

    aigle Registered Member

    blog link pls? also can the POC be shared?
  9. EraserHW

    EraserHW Malware Expert

    my personal blog is in italian and it's located here:

    anyway I've written a similar blog post on Prevx blog at this address: (this time in english)

    About the POC: I wouldn't share the sample outside the company at the moment, even though there's already a known PoC out there (personally I'd not have shared the PoC online, this allows attackers to better exploit the flaw. Anyway I saw someone else already did it). I'm sorry :( Anyway for any question, I'm here :)

    Actually, as I've written in the blog post, I think Microsoft will have some trouble in fixing this flaw, because it is not a bug - it's a feature used inside Windows internals.
    Last edited: Jul 19, 2010
  10. EraserHW

    EraserHW Malware Expert

    Sorry man :( I tried to do my best to record a good video :(

    Actually the video just shows how the exploit is working. I've written a PoC exploit from scratch and showed how a fake malicious DLL is loaded as soon as system starts rendering the icon
  11. ronjor

    ronjor Global Moderator

  12. CloneRanger

    CloneRanger Registered Member

    Right at the bottom of here - - is this FIX :thumb:

  13. CloneRanger

    CloneRanger Registered Member


    Thanks for your blog post link on this exploit POC :thumb:


    Re video issue

    This is just an example of part of the fullscreen HD video as it appears on my comp. Looks blurry to me.


    See how it compares to your comp, could be just at my end ?


    @Ronjor :thumb:

    The plot thickens !

  14. MrBrian

    MrBrian Registered Member

  15. Rmus

    Rmus Exploit Analyst

    Hi MrBrian,

    Do you have any idea what he's referring to in that Diary? (webDAV and how it relates to the exploit?)


  16. CloneRanger

    CloneRanger Registered Member

    @MrBrian Good find :thumb:


    Re - WebDAV

    Appears to be these sorts of OS's that are vulnerable, business types and not domestic etc comps.

    Microsoft Windows 2000

    Windows XP Professional

    Windows Server

    So i'm ok on XP/SP2 by the looks of things The .lnk POC didn't work anyway when i tested it, so ?
  17. Rmus

    Rmus Exploit Analyst

    This is why I don't like PoCs - they often aren't a good indication of how a real exploit in the wild will work on various systems.

    Even two different systems with the same OS version, etc, can react differently to a real exploit.

  18. MrBrian

    MrBrian Registered Member

    From the Microsoft advisory Workarounds section:
    Use of WebDAV is another means of infection and propagation for the .LNK vulnerability.
  19. Rmus

    Rmus Exploit Analyst

    Thanks - I looked up WebDAV but didn't connect it with the Advisory!

  20. CloneRanger

    CloneRanger Registered Member

    This might prove useful in .lnk analysis ?


    Found this which "could" have some bearing on the latest situation ?


    Originally Posted by Rmus

    Ain't that the truth ! And how frustrating for the bad guys, and girls :D
  21. KptnKork

    KptnKork Registered Member

    Many Thanks for your upload at offensivecomputing !
  22. ace55

    ace55 Registered Member

    Assuming I am correctly concluding that this exploit/feature allows code execution as explorer only, a better way to protect yourself from this exploit using CIS is to remove the default rule for explorer. As explorer is handling untrusted data (link shortcuts, possibly other exploitable aspects of files) it makes sense that manually restricting its actions would lend a security benefit.

    Doing so would not prevent the dll loading, but would prevent any actions taken by the malware through the compromised instance of explorer, and thus, prevent system compromise. However the compromised instance of explorer could, although it cannot make itself persistent on the system, attempt to escape the restriction of CIS using a shatter attack or keylog you.

    Unless you want to terminate and restart explorer after plugging in any flash drives but before entering any sensitive information, there are better solutions to this particular problem: AppLocker comes to mind.
  23. MrBrian

    MrBrian Registered Member

  24. CloneRanger

    CloneRanger Registered Member


    Not quite :D But could have been ;)
  25. CloneRanger

    CloneRanger Registered Member

    Ronjor just posted this :thumb: -


    So it looks like as im on XP/SP2 i'm not affected by this vulnerability/exploit :D No wonder it didn't work when i've tested it several times. Just goes to show, not updating to the latest patches etc SP3, "can" be a bonus :D Not recommending everyone does as i do though.

    In an earlier MS advisory, it mentioned mainly only business type OS's that were vulnerable. So something must have changed in the malware samples out there for this latest revision ?
Thread Status:
Not open for further replies.