|
Vulnerability kernel Affected Win 2000 Description Matthew Murphy (Murphy Security Advisory #9) found following. Windows .LNK files are used for quick access to programs that may be stored away on the hard drive. Part of this shortcut interface is the use of hotkeys, keys that when pressed (for example F10) run the .LNK file and what ever file it is linked to. The problem with this is three things. A) In Windows, .LNK files can run from any location upon the pressing of a hotkey. B) The user does not have to be the one to place the shortcut. C) .LNK files can link to programs not authorized by the user. So, if an attacker wished, he or she could place a *.LNK file on a network drive with a hotkey, such as F1 (normally the help hotkey) and have it link to an unsigned *.EXE file on that same drive. So, when the new system admin logged in to the new drive, the next time they hit F1 for help, the .LNK file would automatically run, overriding the typical behavior of starting help, and launching the Executable. Now, the powerful file that was linked to by the .LNK has complete control of the system, resulting in the compromise of whatever priviledges the user has. It was as if the user had directly clicked on the file. Another troublesome shortcut hotkey is ALT+F4, which normally closes windows. Microsoft worked with Matthew over the past several weeks to investigate this report, but they were been unable to reproduce the issue he describes. Matthew is right that it's possible to create an .exe file on a mapped share, then make a shortcut to it on the same share and map a hotkey such as F1 to the shortcut. All of this is expected behavior, and could only be done by a user with sufficient permissions on the share. The report goes on to say that once the .exe, shortcut and hotkey mapping have been created, the hotkey mapping would take precedence over any other program's use of the hotkey. So, for instance, if the attacker had created malware on the share and assigned it to F1, the reported effect would be to override all other uses of the F1 key, with the result that any user who mapped the share and subsequently hit the F1 key would cause the atacker's malware to run. If this were true, it would indeed be a security vulnerability. However, MS has been unable to demonstrate any case in which this happens, even using sample code Matthew provided us. Solution The link http://support.microsoft.com/support/kb/articles/Q134/5/52.asp which reaffirms that shortcut keys only work when they're in your Start menu or Desktop.