Wei Gao, Blog Author
Senior Security Research Engineer
Blog

Windows LNK Shortcut File Code Execution (CVE-2017-8464) Analysis

August 29, 2017 by Wei Gao

Microsoft released a patch for CVE-2017-8464 LNK Remote Code Execution Vulnerability in June. Theoretically, an attacker can drop USB keys around a target business’ building or directly give someone a removable USB drive. In this scenario, those drives can contain a malicious Shell Link Binary file and an associated malicious binary. When the user opens this drive in Windows Explorer, the malicious binary will execute malicious code.

CVE-2017-8464 can affect these versions of Windows:

  • Windows 7
  • Windows 8.1
  • Windows RT 8.1
  • Windows 10
  • Windows Server 2008
  • Windows Server 2008 R2
  • Windows Server 2012
  • Windows Server 2012 R2
  • Windows Server 2016

Ixia’s ATI-2017-17 release includes this vulnerability. It will generate a LNK file.

The LNK file format is as follows:

1

The Shell Link Binary file includes a shell link header, LinkTargetIDList, LinkInfo, StringData, and ExtraData.

2

The Shell Link Header contains identification information, timestamps, and flags that specify the presence of optional structures. [1] The LinkTargetIDList structure specifies the target of the link. The presence of this structure is specified by the HasLinkTargetIDList bit in the Shell Link Header. The LinkInfo structure specifies information necessary to resolve the link target. The presence of this structure is specified by the HasLinkInfo bit in the Shell Link Header. The StringData structures are used to convey user interface and path identification information. The presence of these structures is specified by bits in the Shell Link Header. ExtraData refers to a set of structures that convey additional information about a link target. These optional structures can be present in an extra data section that is appended to the basic Shell Link Binary File Format.

To trigger this vulnerability, the Shell Link Binary file should contain LinkTargetIDList and ExtraData.

The format of LinkTargetIDList shows as follow [2]:

3

In our example, there are 3 sections in LinkTargetIDList. The size of the first and second is 0x14 bytes and the third is 0x46. Also, the third section contains malicious DLL path.

ExtraData uses SpecialFolderDataBlock [3]:

4

After LinkTargetIDList is parsed, explorer.exe will start to parse SpecialFolderDataBlock and CShellLink::DecodeSpecialFolder will be called. It will search the third section in LinkTargetIDList by using offset 0x28. After that, it will load and execute the malicious DLL.

To reproduce it, create a DLL format Meterpreter reverse TCP shell using msfvenom:

5

Copy zymu.dll and the LNK file (gtvx.lnk) generated by the strike into the target Windows 7 machine’s C drive (the path should be the same as in the LNK file).

6

Set up the Metasploit multi-handler and start it. When the C drive in the Windows 7 machine is opened, then a Metasploit listener will get the Meterpreter shell.

7

In the BreakingPoint GUI, you can search keyword “cve-2017-8464” and add the strike for validation. The Ixia BreakingPoint Application and Threat Intelligence (ATI) Subscription provides bi-weekly updates of the latest application protocols and attacks for use with Ixia platforms.

References:

[1] https://msdn.microsoft.com/en-us/library/dd891253.aspx

[2] https://msdn.microsoft.com/en-us/library/dd891268.aspx

[3] https://msdn.microsoft.com/en-us/library/dd891269.aspx