Didier Stevens

Sunday 8 August 2010

Quickpost: 2 .LNK Tools

Filed under: My Software,Quickpost,Vulnerabilities — Didier Stevens @ 10:52

Microsoft has issued an emergency patch (MS10-046) for the .LNK file vulnerability (CVE-2010-2568).

I’m releasing two small tools I developed to help me investigate this vulnerability.

First one is a 010 Editor template file for the .LNK binary file format.

Second one is a ClamAV signature file to find all .LNK shortcuts that load a DLL (malicious or benign).

To scan your drive C, issue command

clamscan.exe -d LNK-CPL-CVE-2010-2568.ndb -l scan.log -r c:\

Quickpost info


  1. […] This post was mentioned on Twitter by Aleksandr Matrosov, Jochem and alex knorr, xanda. xanda said: .LNK Tools by @DidierStevens http://bit.ly/9miiWm […]

    Pingback by Tweets that mention Quickpost: 2 .LNK Tools « Didier Stevens -- Topsy.com — Sunday 8 August 2010 @ 11:30

  2. Hi Didier, regarding the .LNK vulnerability, I used this tool to parse link files and I want to share it with you:
    http://jafat.sourceforge.net/files.html (see lnk-parse-1.0.pl)

    P.S. your 010Editor template does a great job

    Comment by shinnai — Monday 9 August 2010 @ 9:31

  3. […] la plantilla LNK de 010 Editor publicada recientemente por Didier Steven’s, obviamente para el programa 010 Editor, que si no conocéis os recomiendo que le hagáis una […]

    Pingback by Parsing de LNK: “You’re doing it wrong” — Tuesday 10 August 2010 @ 11:19

  4. […] use Didier Steven’s recently released 010 Editor LNK Template for the 010 Editor […]

    Pingback by LNK Parsing: You’re doing it wrong (I) — Tuesday 10 August 2010 @ 11:20

  5. Your clamav signature does not “find all .LNK shortcuts that load a DLL.” You may wish to revise your wording. A more accurate description would be that it “finds a specific .LNK shortcut that operates in the Control Panel.”

    Comment by Forrest Gump — Tuesday 10 August 2010 @ 14:24

  6. @Forrest Gump You’re right, I actually wanted to write “find all .LNK shortcuts that load a DLL without opening.”

    Comment by Didier Stevens — Tuesday 10 August 2010 @ 14:34

  7. Well actually, I think you may have missed the point. The clamav signature you provided is *very* specific. Given that you’ve written an 101 template for the LNK file, you should be aware that the file format has many flags, variable-length, and variable-count entries. Your signature appears to only be for one specificially-formatted LNK file. Change e.g. just a single bit flag, and the signature won’t trigger.

    Beyond that, the signature doesn’t have anything to do with DLL files. It stops at the point of knowing that the shortcut operates within the context of the control panel. It ignores the target.

    Comment by Forrest Gump — Tuesday 10 August 2010 @ 15:35

  8. @Forrest Gump “Your signature appears to only be for one specificially-formatted LNK file.” Yes, I mainly check for the 2 IDLISTs used to write exploits for MS010-2568. Do you have .LNK examples without these 2 IDLISTs that exploit MS010-2568?

    Comment by Didier Stevens — Tuesday 10 August 2010 @ 16:16

  9. The first IDLIST can contain a different byte sequence and still be functional. I have confirmed this part. I have a hunch that the second IDLIST, which is the one of interest, may also not always be 58 bytes away from the header, but have not confirmed that aspect.

    Comment by Forrest Gump — Tuesday 10 August 2010 @ 17:54

  10. @Forrest Gump That’s really interesting. I had changed some random bytes in the first and second IDLIST, and the result was that the DLL didn’t load anymore. Could you provide more details?

    Comment by Didier Stevens — Tuesday 10 August 2010 @ 18:03

  11. Well, a GUID is 16 bytes. And the data sections for the two IDLISTS you’re likely dealing with are 18 bytes. If you change the GUID, then you break the functionality. While I don’t know the function of the two bytes that preceed the GUIDs, I do know that they can be changed (at least with certain patterns) without breaking the exploit.

    Comment by Forrest Gump — Tuesday 10 August 2010 @ 19:09

  12. The (MS) IDList format seems to start with a single byte that specifies the IDList type. So the format of the registry IDListItem we are dealing with here is
    WORD Size;
    BYTE Type;
    BYTE Unknown;//This could probably be changed and still work?
    GUID guid;//guid of COM interface that implements shell namespace/shellview host?

    Comment by WndSks — Tuesday 10 August 2010 @ 22:47

  13. @WndSks Sounds about right.

    Comment by Forrest Gump — Wednesday 11 August 2010 @ 12:33

  14. @WndSks I can confirm that the last 16 bytes of the 2 first IDFLists are GUIDs. I updated my template to parse and identify the GUIDs, and they are well-known shell GUIDs: My Computer and Control Panel.

    @Forrest Gump I assume you change the byte for the Type and/or the Unknown byte, but not the GUIDs?

    Comment by Didier Stevens — Wednesday 11 August 2010 @ 16:08

  15. @Didier: I think the type byte may be a bit field, so perhaps some of the bits can be changed, but not all (Looking at a shortcut to the control panel, the two shiid’s start with 14 00 1F and 14 00 2E)

    Comment by WndSks — Wednesday 11 August 2010 @ 18:50

  16. @Didier: Correct.

    Comment by Forrest Gump — Wednesday 11 August 2010 @ 21:06

  17. Sup guys, I just published the 2nd article of the LNK Parsing series. I hope you’ll find useful information there regarding this matter.

    Comment by Jordi / prk — Friday 13 August 2010 @ 1:28

  18. […] — Didier Stevens @ 10:43 I updated my .LNK template with info I got from comments from WndSks and Forrest Gump. This new version identifies well-known Shell […]

    Pingback by Quickpost: « Didier Stevens — Wednesday 18 August 2010 @ 10:43

RSS feed for comments on this post. TrackBack URI

Leave a Reply (comments are moderated)

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Blog at WordPress.com.