Main » 2011 » Март » 16 » Lnkpokalipsis or new bagoficha from ms (cve20102568)
11:10
Lnkpokalipsis or new bagoficha from ms (cve20102568)
Habre've written about Win32/Stuxnet and disclosed, together with the vulnerability. But the vulnerability is given why that little attention, mostly all the noise around Win32/Stuxnet and used valid certificates to sign the components of this malware. In the meantime, this vulnerability has already appeared in the public domain. First, as PoC, and later as a module for Metasploit. MS, as in other and usually do not care for the criticality of this vulnerability and it is likely to release a patch until August 10. And for WinXP SP2 patches would not do, although not as strange at it still has users and their not so little, we would like. Confirmation that the distribution of threats to windowed versions of Symantec, where it is WinXP SP2 has a large proportion of recorded incidents.



In kachectve vectors exploit this vulnerability may be not only a USB-nakopitili, and network resources. For example, in Metasploit exploitation occurs via WebDAV.

Powered vulnerability like this:



This is not about banal perepolennii or nerazimenovannom index, much worse, because vulnerability by design so to speak (all versions are vulnerable Wind). Ie Developers prohlopali ears that such a path attackers can use to install any malware. While it may all much worse and it's just another backdoor left in the system at the request of NSA? I'm afraid of the truth, we never know. Let's now talk directly about the technical details of this vulnerability.
CVE-2010-2568 - Vulnerability found in the handler LNK-files of the precise due to the process of displaying Control Panel shortcuts, when they are loaded into memory process Explorer.exe. Vulnerable yavlyatsya library shell32.dll which is an incorrect treatment. Below is reduced scheme illustrates the flow of data between function calls in the process of exploit (peeped here). Successful execution of the exploit is to load third-party dynamic link library using the WinAPI function LoadLibraryW.



The sequence of calls is as follows:
SHELL32! CRunnableTask:: Run
SHELL32! CGetIconTask:: RunInitRT
SHELL32! SHGetIconFromPIDL
SHELL32! CFSFolder:: GetIconOf
SHELL32! SHGetIconFromPIDL
SHELL32! _GetILIndexGivenPXIcon
SHELL32! CShellLink:: GetIconLocation
SHELL32! CExtractIconBase:: GetIconLocation
SHELL32! CCtrlExtIconBase:: _GetIconLocationW
SHELL32! CPL_FindCPLInfo
SHELL32! CPL_LoadAndFindApplet
SHELL32! _LoadCPLModule
SHELL32! _imp__LoadLibraryW

Actually it was code below and makes execute malicious DLL, This code is in function _LoadCPLModule, kotoryya called from CPL_LoadCPLModule.



In the exploits within Metasploit to exploit the vulnerability generated by the URL of the form "{webdav} {exploit_base} \ \ {exploit_dll}", an approach to exploit this vulnerability greatly expands the boundaries of its use beyond the USB-drives. What to do and how to protect themselves against this vulnerability can be read here. More on the topic deal with this vulnerability can read the blog of an independent researcher Didier Stevens. There are described two ways:
1) disable autorun and run executable files from external media. But it will not save you from possible infection with the ball and WebDAV networking links.
2) Install Software Restriction Policies (SRP)
Views: 470 | Added by: w1zard | Rating: 0.0/0
Total comments: 0
Имя *:
Email *:
Код *: