Microsoft Repatches Stuxnet-Related Flaw

Thursday, March 12, 2015 @ 06:03 PM gHale

One patch for a LNK parsing vulnerability came out almost five years ago from Microsoft, but it did not solve the problem.

This was the same vulnerability the state-sponsored Equation group used for espionage purposes since 2008.

Difficult to Detect Exploit Kit
FREAK Affects All Windows Versions
FREAK can Force MitM Attack
IE Hole Allows Attackers to Phish

Microsoft issued a patch for CVE-2010-2568 in August 2010 for the vulnerability that allows an attacker to gain a foothold on a targeted machine when the victim simply opens a folder with malformed shortcut files (LNK), a USB drive being the initial infection vector.

The security flaw came to light earlier that year, when security researchers at Belarusian antivirus company VirusBlokAda discovered Stuxnet, the malware created to target Siemens SIMATIC Step 7 or SIMATIC WinCC software used in industrial control systems (ICS).

The Stuxnet campaign, which ISSSource reported ended up conducted by the United States and Israel to disable the uranium enrichment plants outside Natanz, Iran.

In 2014, security researchers at Kaspersky found the glitch had been exploited since at least 2008, and it employed a worm they dubbed Fanny, which was part of a much larger cyber-espionage operation conducted by a threat actor they named Equation (active since at least 2001).

That Fanny worm had been available in the public space in a forum post published on July 13, 2010, a couple of days before news about Stuxnet started to capture attention online at a larger scale.

The flaw consisted of creating LNK shortcuts whose icons would be loaded from a malicious DLL available in the same directory. As such, when the folder opened with Windows Explorer, the parser executed the DLL without user intervention in order to display the shortcut’s icon.

“The problem is that in Windows, icons are loaded from modules (either executables or dynamic link-libraries). In fact, .CPL files are actually DLLs. Because an attacker could define which executable module would be loaded, an attacker could use the .LNK file to execute arbitrary code inside of the Windows shell and do anything the current user could,” said Dave Weinstein from HP’s Zero Day Initiative in a blog post.

In the current form of the exploit, an attacker would have to create a malformed LNK file containing a path of exactly 257 characters with embedded unescaped spaces.

Furthermore, two files are mandatory, one with embedded unescaped spaces serving as a decoy for the file existence verification, and the other without, which actually loads in the process.

It appears that the original fix provided by Microsoft against the LNK vulnerability could end u bypassed by an experienced researcher, leaving Windows computers exposed for more than four years to the same attack method used by Stuxnet and Fanny.

In early January this year, German researcher Michael Heerklotz provided HP’s ZDI with details proving the fix for CVE-2010-2568 was not complete and the LNK glitch could still end up exploited.

The reported security flaw’s case number is CVE-2015-0096 and ended up patched by Microsoft with this month’s security updates.

Microsoft addressed the issue by correcting the way Windows handles the loading of DLL files.

Users that followed the manual mitigation instructions provided by Microsoft in 2010 were at no risk from attacks exploiting the shortcut parsing flaw; the same mitigation procedure is available in MS15-020 security bulletin for the second patch, too.

The fix consisted in disabling the display of icons for shortcuts and the WebClient service; the latter action prevents an attack through the WebDAV client service, since users end up prompted to confirm opening programs from the Internet, but it also makes WebDAV shares inaccessible from the client computer.

Leave a Reply

You must be logged in to post a comment.