[vox] OT:[Fwd: PROBLEMS WITH WINDOWS SHORTCUTS]

ME vox@lists.lugod.org
Sat, 15 Mar 2003 17:50:43 -0800 (PST)


------=_20030315175043_43088
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: us-ascii

This was just too funny to pass up posting (Off Topic) to the vox lists on
lugod...

OK, so in linux:
$ cd /tmp
$ ln -s next first
$ ln -s first next
$ ls

However, if you are using windows, and you make a link point to a second
link and have the second link point to the first, and then try to view the
contents of the folder that has both... *crash* to explorer or shell...
(heh heh)

(OK, these OS do not permit links to links and back again by default, but
it is still rather funny. :-)

-ME

---------------------------- Original Message ----------------------------
Subject: PROBLEMS WITH WINDOWS SHORTCUTS
From:    "S G Masood" <sgmasood@yahoo.com>
Date:    Sat, March 15, 2003 5:19 am
To:      bugtraq@securityfocus.com
--------------------------------------------------------------------------
PROBLEMS WITH WINDOWS SHORTCUTS






==============================================================================================


Topic: Problems with Windows Shortcuts
Tested With: Windows 98, Windows 2000 Server
Author: S.G.Masood (sgmasood@yahoo.com)


==============================================================================================


==============================================================================================



DESCRIPTION:

There is a problem with the way Windows (tested with
Win98 and Win2k Server) handles shortcut (.lnk) files.

A specially crafted shortcut will crash
explorer.exe/shell32.dll.

A shortcut, say, A.lnk is created and it is made to
point to another
shortcut B.lnk. Then, B.lnk is made to point to A.lnk.
Now when the
folder containing these two files is viewed or
accessed in any way,
explorer crashes.

(Note that Windows won't allow the creation of .lnk
files in the above
format. A hex editor can be used to change the
location of the .lnk files. A zip file containing
examples for Win98 has been attached)

As an effect, a malicious user/program can hide
malware in a folder containing these .lnk files to
prevent users/programs from investigating the contents
of the folder.

This vulnerability is most damaging when the shortcuts
are placed on
the desktop. This could prevent many clueless users
from using their computer.


==============================================================================================



VENDOR RESPONSE:

Microsoft was contacted and it responded with:

"...While this issue is certainly a bug, we believe
that it doesn't
constitute a security vulnerability.  That is, it
wouldn't enable a
malicious user to compromise data or usurp control
over the user's
machine..."


==============================================================================================




SECURITY IMPLICATIONS OF THIS "BUG":


1. Under *most* circumstances, Explorer.exe will
restart when it crashes but in some cases, the machine
hangs and has to be restarted.

2. When Explorer.exe crashes and restarts, it takes
all iexplore.exe instances with it, thereby crashing
them all. This scenario may not seem worthy of
attention at first glance but it may be damaging in
some cases.

3. The folder that contains these shortcuts may house
malware of other kinds. This may be exploited to hide
malware and stop users (and programs ?) from
investigating the contents of the folder. A few users
may still go ahead looking for other ways to
investigate it but, other, not-so-savvy, users will
just leave it alone thereby allowing the spread of new
types of *LAME* malware (the naivete of most users is
apparent from the wildfire type success of email
attachment viruses even after infinite warnings).

Similar vulnerabilities, harmless looking at first
glance, were used previously to devastating effect.


4. I believe this case is most serious as a DoS. If
the shortcuts or variants are placed on the Desktop,
it would keep crashing Explorer in an endless loop and
prevent users from using the machine (Oh naivete! Thou
art the most abundant quality in us mortals! ;-).


Also, this may be combined with other remote file
creation vulnerabilities to make it remotely
exploitable.


==============================================================================================



SOLUTION:


No patch is availaible from the vendor.
The shortcuts can be safely deleted from the
commandline.



==============================================================================================





Regards,
S.G.Masood

__________________________________________________
Do you Yahoo!?
Yahoo! Web Hosting - establish your business online
http://webhosting.yahoo.com

------=_20030315175043_43088
Content-Type: application/x-zip-compressed; name="test.zip"
Content-Description: test.zip
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="test.zip"

UEsDBBQAAAAIAFcibC5Lkat2pgAAAAUBAAAKAAAAdGVzdC9hLmxua/NhYGBgFGFiAIEDYJLBTRpI
KID4tqulFV4cYmRoibX88xxIO1+WAfOhAM6AgkQGEQZ5/gf+FxReWWUKLLrBwaBtYDBXkkHZ2SqG
AR0YtkgwGIJZ2XoXtgowlKQWlzCEuAaHMEgxGEHFb29VYEjSy8nLhpIMDA5ALMMAsRpEG0INswcS
okDMDMS3OYvkBIB0kGOUJwPQapDJMVAD2Bn0IEx2mAzIVQBQSwMEFAAAAAgAZiJsLgcknDqpAAAA
BQEAAAoAAAB0ZXN0L2IubG5r82FgYGAUYWIAgQNgksFNGkgogPi2q6UVXhxiZGiJtfzzHEg7X5YB
86EAzoCCRAYRBnn+B/4XFF5ZZQosusHBoG1gMFeSQdnZKoYBHRi2SDAYglnZehe2CjCUpBaXMIS4
BocwSDEYQcVvb1VgSNTLyctmcASTDAwOQCzDALEaRBtCDbMHEqJAzAzEtzmL5ASAdJBjlCcD0GqQ
yTEQYxjYGfQgTHaYDMhVAFBLAwQKAAAAAACRImwuTrd9xEIAAABCAAAADwAAAHRlc3QvcmVhZG1l
LnR4dDEuIFVuemlwIHRvIEM6XA0KMi4gT3BlbiB0aGUgZm9sZGVyIGM6XHRlc3QNCg0KVGVzdGVk
IHdpdGggV2luOTgNClBLAwQKAAAAAAAQImwuAAAAAAAAAAAAAAAABQAAAHRlc3QvUEsBAhQAFAAA
AAgAVyJsLkuRq3amAAAABQEAAAoAAAAAAAAAAAAgALaBAAAAAHRlc3QvYS5sbmtQSwECFAAUAAAA
CABmImwuByScOqkAAAAFAQAACgAAAAAAAAAAACAAtoHOAAAAdGVzdC9iLmxua1BLAQIUAAoAAAAA
AJEibC5Ot33EQgAAAEIAAAAPAAAAAAAAAAEAIAC2gZ8BAAB0ZXN0L3JlYWRtZS50eHRQSwECFAAK
AAAAAAAQImwuAAAAAAAAAAAAAAAABQAAAAAAAAAAABAA/0EOAgAAdGVzdC9QSwUGAAAAAAQABADg
AAAAMQIAAAAA
------=_20030315175043_43088--