Re: Windows .lnk Files

From: cyberiad@www.nmrc.org
Date: 06/26/02 

Date: Wed, 26 Jun 2002 14:43:18 -0400 (EDT)
From: cyberiad@www.nmrc.org
To: Brett Moore <brett@softwarecreations.co.nz>

Hello,

I've done some playing around with malformed .lnk files
under Windows 2000 and found similar results; nothing
published yet. I found it was similar to a problem USSR
Labs reported some time ago with Windows NT but was in
relation to SERVU FTP ... upload the malformed .lnk file
execute a list and crash/overflow.

Also discussed at,

http://archives.neohapsis.com/archives/vuln-dev/2000-q1/0568.html

Cyberiad

On Wed, 26 Jun 2002, Brett Moore wrote:

> It seems that the handling of .lnk files has a few problems. I have tested
> on both win98 and win2000 sp2 server.
>
> Can anyone test further. Note that the actions taken by these .lnk files has
> the possiblity of causing damage to a system and should not be tested on an
> essential server :-)
>
> -------------------------------------------------------------------
> 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20 2  +,RG New
> 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78 Text Document.tx
> 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 FF FF t NEWTEX~3.TXT
> FF FF 00 00-00 00 00 00-00 00 00 00-00 00 00 00
> 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
> 00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
> -------------------------------------------------------------------
>
> This causes FF FF to be loaded into a register used to control the length of
> data copied. Usually causes an error when right clicking on the file in
> explorer. Sometimes it is required
> to select properties. Errors seen include unable to read, unable to write.
> Since we are controlling the length of the data copies these errors are self
> explanatory.
>
> Would seeme that explorer/shell32.dll is copying to much data when reading
> the filename?. Ok so
> this causes the read/write errors and halts progress.
>
> But if we substitute valid values such as 01 01 (CC CC) then the buffer
> still gets overflowed but we bypass this error and our corrupt values get
> further down in the program.
>
> -------------------------------------------------------------------
> 32 00 1A 00-00 00 D8 2C-52 47 20 00-4E 65 77 20 2  +,RG New
> 54 65 78 74-20 44 6F 63-75 6D 65 6E-74 2E 74 78 Text Document.tx
> 74 00 4E 45-57 54 45 58-7E 33 2E 54-58 54 CC CC t NEWTEX~3.TXT¦¦
> CC CC 0F 0F-0F 0F 0F 0F-FF F0 F0 F0-F0 F0 F0 F0 ¦¦¤¤¤¤¤¤________
> AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
> AA AA AA AA-AA AA AA AA-AA AA AA AA-AA AA AA AA ¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬¬
> -------------------------------------------------------------------
>
> This one does not cause the read/write errors but causes a DoS in explorer
> just by browsing to the folder holding the file.
>
> This is more interesting, but involves tracking a lot of assembler code.
> Worst result would be some sort of code executed just by browsing a folder.
> Virus related perhaps.
>
> Any feedback on results or further research into this problem would be
> appreciated.
>
> Notes:
> Do not save to your desktop.
> Rename the file to .lnk
> This is the win98 file. You can easily modify a 2000 or other lnk file as
> detailed above.
>
>
> Brett Moore
>
>

Relevant Pages

  • Re: PROBE-FILE and Windows shortcuts
    ... That would make it possible to use ASDF on Windows as it was ... by creating shortcuts to .asd files in ... Windows shortcut .lnk files are more closely analogous to ... clisp is likely just using that support, ...
    (comp.lang.lisp)
  • Re: OT Re: How to create windows shortcut/.lnk files from linux?
    ... > I don't have access to a windows box, and so I can't do as you suggest. ... > I also used putty as an example. ... characters in the target string seem to be seporated by some sort of ... and that M$ doesn't use any kind of checksum in their LNK files. ...
    (comp.os.linux.misc)
  • Re: [SLE] DVD filenames are not correct under Windows...
    ... I tried to write a DVD with both RockRidge ... Windows shortcut files are ... If you have .lnk files among the files you're writing to the CD, ... were on Windows file system volumes that I have mounted under Linux. ...
    (SuSE)
  • Re: all exe files switched to .lnk file type??
    ... to start Windows at all. ... Shortcuts actually have the extension .lnk - but this is usually hidden by ... It could be that the associations for .lnk files have been messed up. ... Search on Google for "lnk association". ...
    (microsoft.public.windowsxp.help_and_support)
  • Re: Createing shortcuts using VB6
    ... I cannot find any info on what versions of Windows this ... use it in VBA as well as VB. ... the function it exports for creating lnk files ... It is designed to create shortcuts in either "\Start ...
    (microsoft.public.vb.general.discussion)