Dubious security vulnerability: Code execution via LNK file

Raymond Chen


A security vulnerability report arrived that claimed to have achieved code execution via a shortcut (LNK) file. The report was somewhat convoluted, but it went something like this:

  1. Start with this pre-fabricated shortcut file.
  2. Copy it to a folder of your choosing.
  3. Edit the shortcut file in this very special way, substituting the full path to the shortcut file where specified.
  4. Double-click the shortcut file.
  5. Code execution is achieved!

If you can trick the user into double-clicking an arbitrary shortcut file of your choosing, then you don’t have to do all this weird special editing nonsense.

  1. Create a shortcut that runs pwnzor.exe directly from an Internet-accessible file share.
  2. Double-click the shortcut file.
  3. Code execution is achieved!

When phrased this way, it’s clear that the attack is really a social engineering attack: If you can convince a user to do anything you tell them to, then you can get them to do anything.

This in itself is not particularly interesting.

Upon closer inspection, what the finder was actually reporting was that they found a clever way to make a file both a legal LNK file and a legal script file. The “Edit the shortcut file in this very special way” was setting things up so that the LNK file could feed itself to the script engine.

This was an interesting discovery, the ability to polyglot a LNK file with a script file. But it’s not a security vulnerability. It’s just a curiosity.

Because you still have to convince the user to run it.

Raymond Chen
Raymond Chen

Follow Raymond   

Jesse Docken 2019-04-03 08:15:26
While this is entirely true, dismissing the issue entirely seems dubious on its own.  If a feature has a specification or contract dictating what its behavior is and how it's intended to work, and the feature can be used in such a way that it enables behavior outside of that contract, that's most certainly a concern.  Perhaps not a security vulnerability, no, but it is a sign that the implementation has weaknesses and could either function well as a means for distributing a security vulnerability, hiding malware, or may contain an actual security vulnerability.
gumpyx gus
gumpyx gus 2019-04-03 09:12:20
Many places I've worked at the IT guys set up your computer so it has N links on your desktop to go to Contoso Lotus Notes, Contoso TimeSheet Manager,  Contoso HR Probation Manager, Contoso HR Videos, shortcuts to "Network Shares" that are located in Beumon Texas and never respond, etc, etc, etc.    After a few weeks of using those you get conditioned to "the IT guys add and delete desktop Icons and they all are useful and secure-appearing".  A new pretty Icon with no .exe in the legend, that might be prone to be very clickable by the average user.  Just sayin'
F X 2019-04-03 15:32:09
I'm deeply unclear whether the comments are disagreeing that this is a social engineering attack and not a security boundary violation, or if they believe Microsoft should be in the business of preventing anyone from doing anything interesting if it could ever possibly result in a social engineering.
Pierre Baillargeon 2019-04-04 12:30:27
The real vulnerability here is: 1. Give long instructions. 2. Reader gives up reading your instructions and just click the link. 3. Pwned. It's a vulnerability widely exploited by lawyers. They write interminable and incomprehensible license agreements. You don't read it because it's too convoluted. You agree to anything they say.