Windows Shell LNK file CONTROL item command execution

2010-07-22T00:00:00
ID SAINT:0083688CA07FA21D6F4D1102BD0550AB
Type saint
Reporter SAINT Corporation
Modified 2010-07-22T00:00:00

Description

Added: 07/22/2010
CVE: CVE-2010-2568
BID: 41732
OSVDB: 66387

Background

Microsoft Windows supports LNK files, also known as shortcuts, which are references to other files. Shortcuts can be placed in a location which is convenient for users (such as the Desktop or Start menu), from which they can be used to execute the referenced file.

Problem

A design weakness in the Windows shell allows command execution when a user opens a shortcut file containing a CONTROL item which specifies a malicious executable DLL. The shortcut file could be given to the user on removable media such as a USB flash drive.

Resolution

See Microsoft Security Advisory 2286198 for patch information or workarounds.

References

<http://www.kb.cert.org/vuls/id/940193>

Limitations

The specified SMB share must be accessible by the target user. Before the exploit can succeed, download the exploit.dll file and place it on the specified share.

The user must double-click on the shortcut file in order for this exploit to succeed.

Platforms

Windows