OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Microsoft Security Response Center (secureMICROSOFT.COM)
Date: Wed Jun 27 2001 - 10:25:21 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    -----BEGIN PGP SIGNED MESSAGE-----

    Hi All -

    Microsoft worked with Matthew over the past several weeks to
    investigate this report, but we've been unable to reproduce the issue
    he describes. Matthew is right that it's possible to create an .exe
    file on a mapped share, then make a shortcut to it on the same share
    and map a hotkey such as F1 to the shortcut. All of this is expected
    behavior, and could only be done by a user with sufficient
    permissions on the share.

    The report goes on to say that once the .exe, shortcut and hotkey
    mapping have been created, the hotkey mapping would take precedence
    over any other program's use of the hotkey. So, for instance, if the
    attacker had created malware on the share and assigned it to F1, the
    reported effect would be to override all other uses of the F1 key,
    with the result that any user who mapped the share and subsequently
    hit the F1 key would cause the atacker's malware to run. If this
    were true, it would indeed be a security vulnerability. However, we
    have been unable to demonstrate any case in which this happens, even
    using sample code Matthew provided us.

    In every case we've tried, the system has worked as expected.
    Hotkey-mapped shortcuts should, by design, only take effect when they
    are in the Start folder (or a subfolder of it) or on the user's
    desktop. Even then, any program running on the machine should take
    precedence regarding the use of a hotkey -- so, for instance, if
    Excel had focus, its use of the F1 key should supersede any other
    usage of the key. This is exactly the behavior we've seen in our
    tests.

    If anyone in the NTBugTraq community can demonstrate a way to
    successfully carry out the attack described in the report, we'd be
    most interested in learning the details and following up. The best
    way to report the information would be either contact Russ or send
    the information directly to the Microsoft Security Response Center
    (securemicrosoft.com). Regards,

    Scott Culp
    Security Program Manager
    Microsoft Security Response Center

    - -----Original Message-----
    From: FileSystemObject (Matthew Murphy) [mailto:sjmurphySWBELL.NET]
    Sent: Friday, June 08, 2001 8:00 PM
    To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
    Subject: Murphy Security Advisory #9, 2001 - .LNK Files and Windows
    Networking may Allow Executing Arbitrary Programs

    Now that it's going to Bugtraq, let's see how well M$ can ignore
    this, LOL.

    Murphy Security Advisory #9, 2001:

    .LNK Files and Windows Networking may Allow Executing Arbitrary
    Programs

    Systems Affected: All versions of Windows that support networking.

    Risk: Medium

    Symptoms: Hotkeys may not work properly.

    Consequences: Running code of an attacker's choice over a network.

    Workaround: Turn off write sharing to networked drives.

    Description:

        Windows .LNK files are used for quick access to programs that may
    be stored away on the hard drive. Part of this shortcut interface is
    the use of hotkeys, keys that when pressed (for example F10) run the
    .LNK file and what ever file it is linked to. The problem with this
    is three things. A) In Windows, .LNK files can run from any location
    upon the pressing of a hotkey. B) The user does not have to be the
    one to place the shortcut. C) .LNK files can link to programs not
    authorized by the user. So, if an attacker wished, he or she could
    place a *.LNK file on a network drive with a hotkey, such as F1
    (normally the help hotkey) and have it link to an unsigned *.EXE file
    on that same drive. So, when the new system admin logged in to the
    new drive, the next time they hit F1 for help, the .LNK file would
    automatically run, overriding the typical behavior of starting help,
    and launching the Executable. Now, the powerful file that was linked
    to by the .LNK has complete control of the system, resulting in the
    compromise of whatever priviledges the user has. It was as if the
    user had directly clicked on the file. Another troublesome shortcut
    hotkey is ALT+F4, which normally closes windows.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP Personal Privacy 6.5.3

    iQEVAwUBOzn6140ZSRQxA/UrAQG09Qf/YQaSUpdH7htlGiOIaayKFkAHFwZRYitG
    xBsV1GCqLKx43rFIeJ+KxyEfA3bBRxO6zZkCDNCZBX1TNdphRvCrgLU8KKpIYPo/
    lvuRvPZgnftVIHHFgDjS/ck+0z+gUyzPWL7i61TnYDVR5/VGdksJjfNk1/nnN4Pa
    +NqnfqHJQXX1i2sG3aFd/19qdc0LMatt3uKaB5u2aWZG8r4y3mzYX/95+rupXmZm
    4VLNLKxc4Ra5EsoArilnev33k2ALzfKHEFV8YH556e0JZ7A/o0jkIlBqGfICLrPi
    w271zKFv7H15Jt87+AlYLRkLxrTU6h62hqYIABLzMNM9II/k7Z0jIg==
    =QRcO
    -----END PGP SIGNATURE-----