Patched Windows Machines Exposed to Stuxnet LNK Flaw All Along

A five-year-old Microsoft patch for the .LNK vulnerability exploited by Stuxnet failed to properly protect Windows machines, leaving them exposed to exploits since 2010.

Microsoft today is expected to release a security bulletin, MS15-020, patching the vulnerability (CVE-2015-0096). It is unknown whether there have been public exploits of patched machines. The original LNK patch was released Aug. 2, 2010.

The .LNK vulnerability was part of Stuxnet’s arsenal as it went after Iran’s nuclear program with a barrage of exploits targeting Windows vulnerabilities, as well as shortcomings inside Siemens programmable logic controllers in charge of centrifuge operations inside the Natanz uranium enrichment facility.

German researcher Michael Heerklotz in January reported the new findings to HP’s Zero Day Initiative, which is expected to release full details today at 5 p.m. Eastern time.

“That patch didn’t completely address the .LNK issue in the Windows shell, and there were weaknesses left behind that have been resolved in this patch,” said Brian Gorenc, manager of vulnerability research with ZDI. Gorenc said the vulnerability works on Windows machines going back to Windows XP through Windows 8.1, and the proof of concept exploit developed by Heerklotz and tweaked by ZDI evades the validation checks put in place by the original Microsoft security bulletin, CVE-2010-2568.

LNK files define shortcuts to files or directories; Windows allows them to use custom icons from control panel files (.CPL). In Windows, ZDI said, those icons are loaded from modules, either executables or DLLs; CPLs are DLLs. An attacker is able to then define which executable module would be loaded, and use the .LNK file to execute arbitrary code inside of the Windows shell.

“What makes this vulnerability so attractive is the history behind its attack surface, and the ability to load arbitrary DLLs to execute code,” Gorenc said. “From an attacker’s perspective, if they can get a user to view a folder with a malicious LNK stored inside, they will be able to execute arbitrary code. It’s an easy attack surface for them to hit.”

The exploit code is fairly easy to generate, Gorenc said, and does not require bypassing any of the memory mitigations put in place by Microsoft in its operating system.

Gorenc would not say whether the vulnerability had been exploited in the wild, but did point out that a Metasploit module has been available since 2010 and has been used in countless pen-tests.

The timing of this announcement coincides with new research coming out of last month’s Kaspersky Security Analyst Summit, during which the Equation APT group was uncovered. The group has been linked to Stuxnet, Flame and other advanced attack platforms, and made use of the same .LNK vulnerability.

The most direct connection was found in the Fanny worm that is part of the Equation malware toolkit and pre-dates Stuxnet. The worm exploits two zero day vulnerabilities later used by Stuxnet, including the .LNK exploit. Fanny was used to infect air-gapped machines inside of sensitive installations, moving between infected systems via USB removable storage drives.

When a USB stick is infected, the Fanny worm creates a hidden storage partition on the drive. When the infected stick is plugged into an air-gapped machine that is not online, it maps that computer’s system information. If the stick is later plugged into a machine that is connected to the Internet, the stolen data is sent to the attackers. The attackers can then save commands to the hidden partition, and if the stick is plugged back in to the air-gapped machine, Fanny will recognize the commands and run them.

“This effectively allowed the Equation group to run commands inside air-gapped networks thorugh the use of infected USB sticks, as well as map the network infrastructure of such networks,” said a report written by Kaspersky Lab.