Comments on: Mitigating .LNK Exploitation With SRP

By: Stuxnet / CPLink la situation ne s’arrange pas | Linux-backtrack.com

Stuxnet / CPLink la situation ne s’arrange pas | Linux-backtrack.com — Thu, 10 Feb 2011 21:32:38 +0000

[...] la mise en place de règles locales de sécurité qui empêchent l’exécution de fichiers extérieurs au disque système C:; [...]

By: Quickpost: Ariad & DLL Preloading « Didier Stevens

Quickpost: Ariad & DLL Preloading « Didier Stevens — Thu, 26 Aug 2010 12:11:28 +0000

[...] writing this quickpost just in case you hadn’t figured this out for yourself: the techniques I described to protect machines from the .LNK vulnerability also help you mitigate the DLL preloading [...]

By: Free_Sophos_tool_blocks_Windows_shortcut_attacks

Free_Sophos_tool_blocks_Windows_shortcut_attacks — Wed, 28 Jul 2010 05:07:41 +0000

[...] is still a disgrace Details. http://technet.microsoft.com/en-us/l…/bb457006.aspx Mitigating .LNK Exploitation with SRP | Didier Stevens Sujay, that's one of the best OS defensive pillbox. But it wont appeal to [...]

By: -

Tue, 27 Jul 2010 10:48:40 +0000

after looking over the ms kb, and googling, it looks like it’s easiest for everyday win users to set webclient to “stopped” and “disabled” in services.msc
webclient is probably already off, i assume (uh oh ) that disabling it will prevent a .lnk file (in explorer.exe) from starting up webclient?

By: Didier Stevens

Didier Stevens — Mon, 26 Jul 2010 16:26:04 +0000

@prk No, nothing special.

By: prk

prk — Mon, 26 Jul 2010 07:34:57 +0000

There are a few… I.e

http://jafat.sourceforge.net/files.html
http://www.javafaq.nu/java-example-code-468.html

Plus the good reference at http://msdn.microsoft.com/en-us/library/dd871305%28PROT.10%29.aspx (which lately has received some well needed updates)

I phrased it wrong though, I really meant any common LNK Parser (the public ones, EnCase’s, etc). Do you get any useful information out of your template on these specific LNKs?

By: Didier Stevens

Didier Stevens — Mon, 26 Jul 2010 07:15:29 +0000

@prk No, but I’ve written my own 010 Editor template for the .LNK binary format. Do you have a link to a publicly available LNK parser?

By: prk

prk — Mon, 26 Jul 2010 07:06:22 +0000

@Didier
Hey Didier! Yes, it does. I wasn’t too sure what the stroke meant as I hadn’t seen the original post.
*hint* Have you tried parsing these LNKs with any current publicly available LNK parser?

By: Week 29 in Review – 2010 | Portable Digital Video Recorder

Week 29 in Review – 2010 | Portable Digital Video Recorder — Mon, 26 Jul 2010 05:46:28 +0000

[...] Mitigating .LNK Exploitation With SRP – didierstevens.com [...]

By: Week 29 in Review – 2010 | Infosec Events

Week 29 in Review – 2010 | Infosec Events — Mon, 26 Jul 2010 04:34:32 +0000

[...] Mitigating .LNK Exploitation With SRP – didierstevens.com [...]