Didier Stevens

Sunday 18 July 2010

Mitigating .LNK Exploitation With Ariad

Filed under: My Software,Vulnerabilities — Didier Stevens @ 13:42

Today I tested @Ivanlef0u ‘s .LNK PoC with my latest Ariad tool.

I adapted the PoC to work on a CD-ROM for drive D. When you load the CD-ROM with the PoC (I use an ISO file inside a VM) and take a look at DbgView’s output, you’ll notice that payload gets executed:

With Ariad installed on the machine in its default configuration (just block \autorun.inf), the PoC still works:

But configuring Ariad to block access to executables (this includes .LNK) prevents the PoC from executing:

Access to the .LNK file is denied, and Windows Explorer can’t start the payload.

And configuring Ariad to prevent files to be mapped in memory (this is something done by Windows with executables) also prevents the PoC from executing:

This time, access to the .LNK file is not denied, but dll.dll is prevented from loading into memory, thus again preventing the payload from executing.

You can use Ariad if you want to mitigate attacks with these shortcut links until Microsoft releases a patch. As it is expected that Microsoft will not release a patch for Windows XP SP2, Ariad can offer permanent mitigation.

Be sure to read Ariad‘s documentation before using it.

Blog at WordPress.com.