Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations Mike Lewis on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Just when you thought it safe to go into the water . . . 5

Status
Not open for further replies.
Yeah, that's not good.
 
I'll worry about all this.... later. Today is a fine day.
 
Here's a little more detail. It isn't the SCADA networks per se that are targeted, rather the Windows hosted SCADA control PCs.

Unfortunately, this article also mentions that documents with embedded links (Word, PDF, etc.) can also be used to nail you.

There's only one solution: [cheers] [cheers]



Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
Am I understanding correctly: if Windows Explorer (or any other program) asks Windows to retrieve the icon belonging to a target program, instead of just retrieving the picture in a static sense, Windows runs code from the target program to provide the icon?
 
Solution
p p p pickup a penguin :)
 
Am I understanding correctly: if Windows Explorer (or any other program) asks Windows to retrieve the icon belonging to a target program, instead of just retrieving the picture in a static sense, Windows runs code from the target program to provide the icon?

More specifically, icons are defined resources in executable files. This means that you aren't retrieving the picture in a static sense, but calling an API (IShellLinkA/IShellLinkW) to load the executable and find the resource in question.

As I understand it, there's already been a different, patched exploit to do this with executable files. But the specific one here involves DLL files. Now what happens is that the LNK file, which contains information referencing a shortcut target, is changed slightly so that instead of making reference to an icon for the DLL through the LNK file, it loads the DLL. In loading the DLL it executes the main loading sequence of the DLL. Hence your exploit.

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.
 
Glen, Is it the LNK file itself that's crafted differently? I thought it was the DLL that's modified so that the internal pointer went to the executable code instead of the icon image.

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
Glen, Is it the LNK file itself that's crafted differently?

Yes. If you reference the link I posted in this thread, you'll see the details of it. The main contents of that forum post being someone trying to prove if you can do the exploit with 95/98/ME - the answer is yes if you make the LNK ANSI instead of Unicode.

There is nothing different or strange regarding the DLL file and this file can be created in an unmodified fashion using any development environment.



It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.
 
I feel like I'm in the middle of a soap opera for some reason. Sophos has released a free tool that will work with any AV program. I haven't tested it so I can't verify if it works or what any adverse effects may be but it seems better than Microsoft's solution.


James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
Excellent, James!
I've just checked this link and it does sound excellent.
I've installed it and it does create a little lag in displaying icons, but it is really just a little one.
Some few icons are not recognized, but I can really live with that - much much better than with the M$ "fix" (cripple).

[thumbsup2]

[navy]"We had to turn off that service to comply with the CDA Bill."[/navy]
- The Bastard Operator From Hell
 
But worrying that Microsoft can't/won't/haven't come up with anything?

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
[red]But wait! There's more![/red] Conspiracy buffs will have a field day with this article

James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
MS has released a fix! Not much info yet so will have to see what exactly it does.



James P. Cottingham
[sup]I'm number 1,229!
I'm number 1,229![/sup]
 
James, We do know it makes you reboot. What a surprise. [ROFL]

Jeff
[small][purple]It's never too early to begin preparing for [/purple]International Talk Like a Pirate Day
"The software I buy sucks, The software I write sucks. It's time to give up and have a beer..." - Me[/small]
 
What is more worriying is the fact that they though running 3rd party software just to create an icon was a good idea in the first place!
 
Just my oldest XP box to do now.
All well so far, except the update knocked over crypsvc (again) on the Vista machine, but it was OK after a second re-boot.

Just trying to work out why 'Problem Reports' says there is a fix avalible, but there isnt!

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain
 
IPGuru, I am sooooo glad you wrote that. I can't help but feel that half the security issues we get into now are because someone thought that expandable do-everything design was a really good idea, and forgot that it carries a price: someone might make it do something the designer didn't think of. As a non-programmer I didn't dare think.

For goodness' sake, a shortcut and an icon should never have been more than what they are: a single reference to a program, and a picture.
 
> Is it the LNK file itself that's crafted differently? I thought it was the DLL that's modified so that the internal pointer went to the executable code instead of the icon image

No, the LNK file is still a standard, normal LNK file (as a side note, MS removed their documentation for LNK files from MSDN subsequent to this exploit being made public; a copy of it is located here)

No, no DLL modified or pointer changed

The issue is that, under certain circumstances (and this is where the 'specially crafted' that most of the advisories mention comes in), the Shell - not the shortcut - calls LoadLibrary against the file that is supposed to contain the icon used by the shortcut (a DLL). LoadLibrary in turn causes the DLL's (optional) DLLMain entry point to be called - so if we write the DLL we can put our own arbitary code into DLLMain - which will get run any time that the shell (or utilities making use of shell APIs) wants to display the icon.
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top