14 DAY TRIAL // Microsoft botched the initial fix for the LNK parsing vulnerability in 2010, a glitch that had been used for cyber-espionage purposes by the state-sponsored Equation group since at least 2008.
In August 2010, Microsoft issued a patch for CVE-2010-2568, a vulnerability that allows an attacker to gain a foothold on a targeted machine when the victim simply opens a folder with malformed shortcut files (LNK), a USB drive being the initial infection vector.
The security flaw came to light earlier that year, when security researchers at Belarusian antivirus company VirusBlokAda discovered Stuxnet, the malware created to target Siemens SIMATIC Step 7 or SIMATIC WinCC software used in industrial control systems (ICS).
Cyber-espionage activity relied on the weakness for years
Stuxnet has been attributed to the United States and Israel and was deployed against the uranium enrichment plants outside Natanz, Iran.
In 2014, security researchers at Kaspersky found that the glitch had been exploited since at least 2008, and it was employed for propagating a worm they dubbed Fanny, which was part of a much larger cyber-espionage operation conducted by a threat actor they named Equation (active since at least 2001).
Recently, it was discovered that Fanny worm had been available in the public space in a forum post published on July 13, 2010, a couple of days before news about Stuxnet started to capture attention online at a larger scale.
The flaw leveraged by the threat actor consisted in creating LNK shortcuts whose icons would be loaded from a malicious DLL available in the same directory. As such, when the folder was opened with Windows Explorer, the parser executed the DLL without user intervention in order to display the shortcut’s icon.
“The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could,” Dave Weinstein from HP’s Zero Day Initiative explained in a blog post on Tuesday.
In the current form of the exploit, an attacker would have to create a malformed LNK file containing a path of exactly 257 characters with embedded unescaped spaces.
Furthermore, two files are required, one with embedded unescaped spaces serving as a decoy for the file existence verification, and the other without, which is actually loaded in the process.
Microsoft patches again
It appears that the original fix provided by Microsoft against the LNK vulnerability could be bypassed by an experienced threat actor, leaving Windows computers exposed for more than four years to the same attack method used by Stuxnet and Fanny.
In early January this year, German researcher Michael Heerklotz provided HP’s ZDI with details proving that the fix for CVE-2010-2568 was not complete and the LNK glitch could still be exploited; a video demonstrating the flaw and providing mitigation is embedded at the end of this article.
The reported security flaw is currently tracked as CVE-2015-0096 and has been patched by Microsoft with this month’s security updates.
“The vulnerability exists when Windows parses shortcuts in a way that could allow malicious code to be executed when the icon of a specially crafted shortcut is displayed. For the vulnerability to be exploited a user would have to use Windows Explorer to browse to a malicious website, remote network share, or local working directory,” Microsoft says in a security advisory released on Tuesday.
Microsoft addressed the issue by correcting the way Windows handles the loading of DLL files.
Important to note is the fact that users that followed the manual mitigation instructions provided by Microsoft in 2010 were at no risk from attacks exploiting the shortcut parsing flaw; the same mitigation procedure has been made available in MS15-020 security bulletin for the second patch, too.
The fix consisted in disabling the display of icons for shortcuts and the WebClient service; the latter action prevents an attack through the WebDAV client service, since users are prompted to confirm opening programs from the Internet, but it also makes WebDAV shares inaccessible from the client computer.
Users should apply the current updates without delay in order to fix this glitch and 13 others, some of them affecting Internet Explorer and allowing remote attackers to execute arbitrary code.
At the moment, there is no indication that exploits for CVE-2015-0096 are used in the wild; however, it is very likely that this will change in the near future, given the fact that cybercriminals have leveraged the previous vulnerability as recently as 2014, according to a report from Kaspersky published in August 2014.
On the same note, HP’s Cyber Risk Report for 2015 revealed that the most prevalent exploit sample in the previous year was for the CVE-2010-2568 flaw, accounting for 33% of the detections.
Video with proof-of concept for CVE-2015-0096:
