{"id":102381,"date":"2019-04-03T10:00:00","date_gmt":"2019-04-03T17:00:00","guid":{"rendered":"https:\/\/devblogs.microsoft.com\/oldnewthing\/?p=102381"},"modified":"2019-08-13T16:47:14","modified_gmt":"2019-08-13T23:47:14","slug":"20190403-00","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20190403-00\/?p=102381","title":{"rendered":"Dubious security vulnerability: Code execution via LNK file"},"content":{"rendered":"

A security vulnerability report arrived that claimed to have achieved code execution via a shortcut (LNK) file. The report was somewhat convoluted, but it went something like this:<\/p>\n

    \n
  1. Start with this pre-fabricated shortcut file.<\/li>\n
  2. Copy it to a folder of your choosing.<\/li>\n
  3. Edit the shortcut file in this very special way, substituting the full path to the shortcut file where specified.<\/li>\n
  4. Double-click the shortcut file.<\/li>\n
  5. Code execution is achieved!<\/li>\n<\/ol>\n

    If you can trick the user into double-clicking an arbitrary shortcut file of your choosing, then you don’t have to do all this weird special editing nonsense.<\/p>\n

      \n
    1. Create a shortcut that runs pwnzor.exe<\/code> directly from an Internet-accessible file share.<\/li>\n
    2. Double-click the shortcut file.<\/li>\n
    3. Code execution is achieved!<\/li>\n<\/ol>\n

      When phrased this way, it’s clear that the attack is really a social engineering attack: If you can convince a user to do anything you tell them to, then you can get them to do anything.<\/p>\n

      This in itself is not particularly interesting.<\/p>\n

      Upon closer inspection, what the finder was actually reporting was that they found a clever way to make a file both a legal LNK file and a legal script file. The “Edit the shortcut file in this very special way” was setting things up so that the LNK file could feed itself to the script engine.<\/p>\n

      This was an interesting discovery, the ability to polyglot<\/a> a LNK file with a script file. But it’s not a security vulnerability. It’s just a curiosity.<\/p>\n

      Because you still have to convince the user to run it.<\/p>\n","protected":false},"excerpt":{"rendered":"

      The hard part is getting them to execute it in the first place.<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-102381","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"

      The hard part is getting them to execute it in the first place.<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102381","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=102381"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/102381\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=102381"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=102381"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=102381"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}