Dubious security vulnerability: Code execution via LNK file

Raymond Chen

Raymond

A security vulnerability report arrived that claimed to have achieved code execution via a shortcut (LNK) file. The report was somewhat convoluted, but it went something like this:

  1. Start with this pre-fabricated shortcut file.
  2. Copy it to a folder of your choosing.
  3. Edit the shortcut file in this very special way, substituting the full path to the shortcut file where specified.
  4. Double-click the shortcut file.
  5. Code execution is achieved!

If you can trick the user into double-clicking an arbitrary shortcut file of your choosing, then you don’t have to do all this weird special editing nonsense.

  1. Create a shortcut that runs pwnzor.exe directly from an Internet-accessible file share.
  2. Double-click the shortcut file.
  3. Code execution is achieved!

When phrased this way, it’s clear that the attack is really a social engineering attack: If you can convince a user to do anything you tell them to, then you can get them to do anything.

This in itself is not particularly interesting.

Upon closer inspection, what the finder was actually reporting was that they found a clever way to make a file both a legal LNK file and a legal script file. The “Edit the shortcut file in this very special way” was setting things up so that the LNK file could feed itself to the script engine.

This was an interesting discovery, the ability to polyglot a LNK file with a script file. But it’s not a security vulnerability. It’s just a curiosity.

Because you still have to convince the user to run it.

Raymond Chen
Raymond Chen

Follow Raymond   

11 comments

Comments are closed.

  • Avatar
    MNGoldenEagle

    While this is entirely true, dismissing the issue entirely seems dubious on its own.  If a feature has a specification or contract dictating what its behavior is and how it’s intended to work, and the feature can be used in such a way that it enables behavior outside of that contract, that’s most certainly a concern.  Perhaps not a security vulnerability, no, but it is a sign that the implementation has weaknesses and could either function well as a means for distributing a security vulnerability, hiding malware, or may contain an actual security vulnerability.

    • Raymond Chen
      Raymond Chen

      This is nothing about using the feature in a manner it wasn’t intended. This is like saying “I found an exploit in the C compiler. I found a way to compile this shell script!” What you found is a polyglot, which is a curiosity but not a security vulnerability. The extra tweak is to make the program, when run, re-launch itself as a shell script. Which is a neat trick, but that’s about it.

      • Avatar
        MNGoldenEagle

        Making a compiler compile a file that contains features of multiple languages is one thing.  The compiler is behaving according to the contract and the file complies with that contract (and coincidentally complies with another contract).  The way you’re describing this, though, is that the Shell is opening the LNK file and executing arbitrary code as a script.  That sounds like something well outside of the contract and scope for how the Shell should be interpreting a LNK file.
        Now if it’s actually just that the LNK file is crafted in such a way that the Shell reads it, sees enough to say “oh, I’ll run the script engine and feed it the LNK file as a parameter”, and then the script engine sees the LNK file and says “oh, this is a valid script, better run it”, then yes, that’s definitely a neat trick, so long as it’s perfectly acceptable for LNK files to contain extra content that the Shell doesn’t recognize.  It’s hard to tell from the post if that was the case.

        • Raymond Chen
          Raymond Chen

          It’s the latter. It’s a perfectly valid LNK file that says “I am a shortcut to this script,” where the path to the script is… the link file itself. The manual editing of the LNK file is in order to patch in the path to itself. The script is embedded in a place that the LNK file parser doesn’t care about when executing the link. I forget where, but for the sake of discussion, let’s say it was embedded inside the “Description” field. It’s just another polyglot: You put language 1 code inside a language 2 comment and vice versa.

  • gumpyx gus
    gumpyx gus

    Many places I’ve worked at the IT guys set up your computer so it has N links on your desktop to go to Contoso Lotus Notes, Contoso TimeSheet Manager,  Contoso HR Probation Manager, Contoso HR Videos, shortcuts to “Network Shares” that are located in Beumon Texas and never respond, etc, etc, etc.    After a few weeks of using those you get conditioned to “the IT guys add and delete desktop Icons and they all are useful and secure-appearing”.  A new pretty Icon with no .exe in the legend, that might be prone to be very clickable by the average user.  Just sayin’

    • Raymond Chen
      Raymond Chen

      If you have found a way to deploy shortcuts to other people’s desktops, then that is the interesting vulnerability. The shortcut itself doesn’t need to be one of these fancy polyglots. It could just be a shortcut to pwnz0r.exe. Because the vulnerability is in getting the shortcut onto the machine and convincing the user to launch it.

      • Avatar
        Brian B

        Where things get ugly is when:
        1) A user runs an application in user-mode and the application adds a camouflaged shortcut to the user’s desktop (the application could just as easily launch pwnzor.exe).
        2) The user launches the camouflaged short-cut, thinking it was added by IT (or added by the user, if it replaced an existing shortcut).  The user clicks “yes” on the UAC prompt.

        Mind you, it’s not Microsoft’s responsibility to block this sort of attack.

        • Avatar
          Ji Luo

          If the user could click “Yes” on UAC prompt, the user is already an administrator. Given that you can already bypass UAC by injecting bogus environment variable for disk cleanup, this isn’t a very interesting attack. For the best security, one should use LUAs instead.

  • Avatar
    F X

    I’m deeply unclear whether the comments are disagreeing that this is a social engineering attack and not a security boundary violation, or if they believe Microsoft should be in the business of preventing anyone from doing anything interesting if it could ever possibly result in a social engineering.

    • Avatar
      Brian B

      It turns out that both malware and users like to be able to muck with desktop shortcuts while in user mode.

  • Avatar
    Pierre Baillargeon

    The real vulnerability here is:
    1. Give long instructions.
    2. Reader gives up reading your instructions and just click the link.
    3. Pwned.
    It’s a vulnerability widely exploited by lawyers. They write interminable and incomprehensible license agreements. You don’t read it because it’s too convoluted. You agree to anything they say.