Recently saw the online exposure of a Windows Remote Code execution vulnerability, the hacker can use a shortcut to execute arbitrary instructions on the user's computer, so the vulnerability was partially analyzed.
1. Vulnerability Description:
MicrosoftWindows. LNK Remote Code Execution Vulnerability (Vulnerability number: cve-2017-8464), an attacker could present the user with a malicious. LNK file and a removable drive or remote share associated with the malicious binary file. When a user opens this drive (or a remote share) in Windows Explorer or any other application that resolves an. lnk file, the malicious binary executes the code of the attacker's choice on the target system, and an attacker who successfully exploited this vulnerability could gain the same user rights as the local user.
2. Scope of impact:
The scope of the vulnerability is relatively broad, the following is from the online search can affect the system, I myself in Win7 and win10 two kinds of test.
1 |
Microsoft Windows Version 1607 for 32-bit Systems |
2 |
Microsoft Windows Version 1607 for x64-based Systems |
3 |
Microsoft Windows Ten for 32-bit Systems |
4 |
Microsoft Windows Ten for x64-based Systems |
5 |
Microsoft Windows version 1511 for 32-bit Systems |
6 |
Microsoft Windows version 1511 for x64-based Systems |
7 |
Microsoft Windows version 1703 for 32-bit Systems |
8 |
Microsoft Windows version 1703 for x64-based Systems |
9 |
Microsoft Windows 7 for 32-bit Systems SP1 |
10 |
Microsoft Windows 7 for x64-based Systems SP1 |
11 |
Microsoft Windows 8.1 for 32-bit Systems |
12 |
Microsoft Windows 8.1 for x64-based Systems |
13 |
Microsoft Windows RT 8.1 |
14 |
Microsoft Windows Ten for 32-bit Systems |
15 |
Microsoft Windows Ten for x64-based Systems |
16 |
Microsoft Windows version 1511 for 32-bit Systems |
17 |
Microsoft Windows version 1511 for x64-based Systems |
18 |
Microsoft Windows version 1703 for 32-bit Systems |
19 |
Microsoft Windows version 1703 for x64-based Systems |
20 |
Microsoft Windows 7 for 32-bit Systems SP1 |
You can see that basically all of the Windows systems are having this problem. But the use of relatively chicken, first you have to put the shortcut into the other computer, before you can consider triggering the vulnerability.
But this is like once the cve-2012-0158, send the document to the user caused the trigger, this vulnerability can be widely used for phishing attacks, puddle attacks, mail attachment attacks, etc., so the harm is very big, accidentally on the recruit, so, users still need to put the patch on.
3. POC
Needless to say, in Python wrote a generated this vulnerability exp's script, has been placed on my GitHub, want to communicate can go to see:
Https://github.com/Securitykid/CVE-2017-8464-exp-generator
A brief description of the test process:
Generate exp Using tools First:
Specify the name of the DLL that needs to be executed, here is a test dll that pops up a few lines of calculator:
The result of the run is to generate 26 shortcuts:
The purpose of the 26 shortcuts is to ensure that the DLL files can be found under any one of the drive characters, to take a scene, put these 26 shortcuts and DLLs on the USB flash drive, then regardless of the USB drive is recognized by the computer to which the drive letter can be executed.
Execution conditions:
Open the folder that contains the shortcut, or the drive letter (the shortcut is for that drive), or point to the shortcut, which can cause execution:
Simply recorded a GIF, the test results are as follows:
The exp generation script in this article is written in Python with the following links:
Https://github.com/Securitykid/CVE-2017-8464-exp-generator
Welcome to Exchange Study
This loophole is still a certain harm, hope to see a friend to leave a heart, do not feel free to click on the received mail or download the shortcut in the file, and at the same time patched to ensure that their rights and interests are not infringed.
The contents of this article only use technical exchanges, security precautions, academic exchanges, do not use for illegal purposes.
Welcome reprint, please indicate the source
Welcome to sweep code attention to the public number, security kid, sharing security knowledge, technology, and common exchange progress!
Windows shortcut (. lnk) Code execution Vulnerability (cve-2017-8464) [Exp Build Tool]