PROBLEMS WITH WINDOWS SHORTCUTS

From: S G Masood (sgmasood@yahoo.com)
Date: 03/15/03

  • Next message: Jason Coombs: "A response to Bruce Schneier on MS patch management and Sapphire" 
    Date: Sat, 15 Mar 2003 05:19:39 -0800 (PST)
From: S G Masood <sgmasood@yahoo.com>
To: bugtraq@securityfocus.com

    PROBLEMS WITH WINDOWS SHORTCUTS

    ==============================================================================================

    Topic: Problems with Windows Shortcuts
    Tested With: Windows 98, Windows 2000 Server
    Author: S.G.Masood (sgmasood@yahoo.com)

    ==============================================================================================

    ==============================================================================================

    DESCRIPTION:

    There is a problem with the way Windows (tested with
    Win98 and Win2k Server) handles shortcut (.lnk) files.

    A specially crafted shortcut will crash
    explorer.exe/shell32.dll.

    A shortcut, say, A.lnk is created and it is made to
    point to another
    shortcut B.lnk. Then, B.lnk is made to point to A.lnk.
    Now when the
    folder containing these two files is viewed or
    accessed in any way,
    explorer crashes.

    (Note that Windows won't allow the creation of .lnk
    files in the above
    format. A hex editor can be used to change the
    location of the .lnk files. A zip file containing
    examples for Win98 has been attached)

    As an effect, a malicious user/program can hide
    malware in a folder containing these .lnk files to
    prevent users/programs from investigating the contents
    of the folder.

    This vulnerability is most damaging when the shortcuts
    are placed on
    the desktop. This could prevent many clueless users
    from using their computer.

    ==============================================================================================

    VENDOR RESPONSE:

    Microsoft was contacted and it responded with:

    "...While this issue is certainly a bug, we believe
    that it doesn't
    constitute a security vulnerability. That is, it
    wouldn't enable a
    malicious user to compromise data or usurp control
    over the user's
    machine..."

    ==============================================================================================

    SECURITY IMPLICATIONS OF THIS "BUG":

    1. Under *most* circumstances, Explorer.exe will
    restart when it crashes but in some cases, the machine
    hangs and has to be restarted.

    2. When Explorer.exe crashes and restarts, it takes
    all iexplore.exe instances with it, thereby crashing
    them all. This scenario may not seem worthy of
    attention at first glance but it may be damaging in
    some cases.

    3. The folder that contains these shortcuts may house
    malware of other kinds. This may be exploited to hide
    malware and stop users (and programs ?) from
    investigating the contents of the folder. A few users
    may still go ahead looking for other ways to
    investigate it but, other, not-so-savvy, users will
    just leave it alone thereby allowing the spread of new
    types of *LAME* malware (the naivete of most users is
    apparent from the wildfire type success of email
    attachment viruses even after infinite warnings).

    Similar vulnerabilities, harmless looking at first
    glance, were used previously to devastating effect.

    4. I believe this case is most serious as a DoS. If
    the shortcuts or variants are placed on the Desktop,
    it would keep crashing Explorer in an endless loop and
    prevent users from using the machine (Oh naivete! Thou
    art the most abundant quality in us mortals! ;-).

    Also, this may be combined with other remote file
    creation vulnerabilities to make it remotely
    exploitable.

    ==============================================================================================

    SOLUTION:

    No patch is availaible from the vendor.
    The shortcuts can be safely deleted from the
    commandline.

    ==============================================================================================

    Regards,
    S.G.Masood

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Web Hosting - establish your business online
    http://webhosting.yahoo.com

  • Next message: Jason Coombs: "A response to Bruce Schneier on MS patch management and Sapphire"

    Relevant Pages

    • Re: Yikes! Shortcuts from hell. The devils in my machine!
      ... Having those shortcuts there will in no way ... version of WinZip in your recent folder will not impact an installation ... You can download Tweak UI (one of the Windows ... If you switch your folder view to thumbnail you will see those ...
      (microsoft.public.windowsxp.basics)
    • Re: Custon items on the start menu
      ... Glad to see that all is working George! ... Microsoft MVP- Windows Shell/User ... Folder customizations ... >> locations of the shortcuts to point at a different place other than My ...
      (microsoft.public.windowsxp.customize)
    • Re: Start Menu shortcut icons not showing up
      ... >> folder). ... >> The latter houses shortcuts and settings that apply to ... >> Associate Expert - WindowsXP Expert Zone ... >> Windows help - www.rickrogers.org ...
      (microsoft.public.windowsxp.newusers)
    • Re: Yikes! Shortcuts from hell. The devils in my machine!
      ... Having those shortcuts there will in no way ... >version of WinZip in your recent folder will not impact an installation ... You can download Tweak UI (one of the Windows ... If you switch your folder view to thumbnail you will see those ...
      (microsoft.public.windowsxp.basics)
    • Re: desktop shortcuts/Outlook email links, dont work; XP says "Ca
      ... Yesterday, all day, the shortcuts worked fine. ... problem I had before I followed your instructions. ... For the Help and Support ... > Fix Windows XP Help - from Doug's site: ...
      (microsoft.public.windowsxp.help_and_support)