Microsoft LNK Vulnerability Brief Technical Analysis(CVE-2010-2568)
Jul 30
A few days ago, an exploit used for highly targeted attacks was published here: CVE-2010-2568 Lnk shortcut. As the blog post, and other posts, state, this is caused by Windows Control Panel's shortcut image display routine. The original blog post shows a stack trace of the exploit results, which also serves to explain the vulnerability.
The nature of the vulnerability is pretty clear. But out of curiosity we did some reverse engineering and here is what we have found. The bug itself is a design flaw as stated by many people and it's very straightforward to locate the point where it happens. The vulnerable file is shell32.dll and the vulnerable routines are Control Panel-related. We loaded the binary on a disassembler and found that the Control Panel file-related routines start with a “CPL_” prefix.
Drawing 1 shows the relations between CPL initialization routines and data flow. The red “LoadLibraryW” API is the vulnerable one.
Drawing 1: The flow of the related routines and data
The icon extraction routine calls “CPL_FindCPLInfo” to find the icon information of the target file. The “CPL_FindCPLInfo” routine is basically a wrapper around all CPL-related routines. The loading and initialization of the CPL module is performed before getting any information out of it. One of the initialization routines, “_LoadCPLModule”, calls the “LoadLibraryW” API to load the target CPL dll for future use. The module handle acquired from this call is used later in the “_InitializeControl” routine with the “LoadImage” API. There are ways to acquire an icon handle from a dll without loading it, but in this case the programmer chose to load the target dll for some reason, which opens the vulnerability.
It looks like the security side-effects of one module are not evaluated fully before it's combined with other modules.
We recommend following this Microsoft security advisory to disable icon display or the WebClient service until a patch for this flaw is released.
Posts Related to Microsoft LNK Vulnerability Brief Technical Analysis(CVE-2010-2568)
Apple QuickTime "_MARSHALED_PUNK" 0-day
Yesterday we received reports about a flaw in Apple's QuickTime player. According to the reports, this flaw can potentially allow an attacker to exploit the ...
I loved what youve accomplished the following. The style is stylish
We entered to a software as Bayilik Franchise Program. This post made help us for improve our software. We will send our software for your review.
I usually get bored easily and close the tab but i think that your blog can be an exception. Bravo !
Hey, i think you visited my website so i came to “return the favour”.I am looking for ways to add things to my website!I suppose its ok to use some of your ideas!!
P90X Workout schedule is really very helpful for toned your body and muscle building.
Thanks buddy. Not bad submissions you have here. Got some extra sites to link to which have more information?
I’m impressed, I must say. Really rarely do I see a blog that is both educational and entertaining, and let me tell you, you have hit the nail on the head. Your thoughts is important; the issue is something that not enough people are speaking intelligently about. I’m very happy that I stumbled across this in my search for something relating to this.
Hello Im Jason ,I am finally a tea fanatic, absolutely love the fragrance as well as the flavor of tea as the first thing after getting up. I Gulp minimum seven glasses each day. By the way lovely blog, Have a awesome day.
I would like to thank you for the time you have contributed in composing this article. I am hoping the same top-quality article from you in the upcoming as well. In fact your creative writing abilities has inspired me to begin my own blog now. Really the blogging is spreading its wings rapidly. Your write up is a good example of it.
It is unusual for me to discover something on the cyberspace that’s as entertaining and fascinating as what you’ve got here. Your page is lovely, your graphics are great, and what’s more, you use reference that are relevant to what you’re talking about. You are certainly one in a million, man!
You are not the average blog author, man. You surely have something important to contribute to the World Wide Web. Such a outstanding blog. I’ll revisit again for more.
Im not going to say what everyone else has already said, but I do want to comment on your knowledge of the topic. Youre truly well-informed. I cant believe how much of this I just wasnt aware of. Thank you for bringing more information to this topic for me. Im truly grateful and really impressed.