×
INTELLIGENT WORK FORUMS
FOR COMPUTER PROFESSIONALS

Log In

Come Join Us!

Are you a
Computer / IT professional?
Join Tek-Tips Forums!
  • Talk With Other Members
  • Be Notified Of Responses
    To Your Posts
  • Keyword Search
  • One-Click Access To Your
    Favorite Forums
  • Automated Signatures
    On Your Posts
  • Best Of All, It's Free!
  • Students Click Here

*Tek-Tips's functionality depends on members receiving e-mail. By joining you are opting in to receive e-mail.

Posting Guidelines

Promoting, selling, recruiting, coursework and thesis posting is forbidden.

Students Click Here

Jobs

Just when you thought it safe to go into the water . . .
5

Just when you thought it safe to go into the water . . .

Just when you thought it safe to go into the water . . .

(OP)
This Zero Day Exploitation affects all Windows including Win 7. sad



James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Just when you thought it safe to go into the water . . .

Holy smokes!
This sounds bad. Looks like M$ will be scrambling trying to find a fix to that!
nosmiley

"We had to turn off that service to comply with the CDA Bill."
- The Bastard Operator From Hell

RE: Just when you thought it safe to go into the water . . .

Thanks for posting that timely info.  I imagine I may be getting some new side work in the upcoming weeks or month. wink

RE: Just when you thought it safe to go into the water . . .

So you combine this flaw with SCADA systems that have hard coded admin passwords that can't be changed and you have great recipe for fun and entertainment.
http://www.theregister.co.uk/2010/07/20/win_shortcut_vuln_exploit_code/

(The list of people that I need to find and kick in the face grows every day.) cannon

Jeff
It's never too early to begin preparing for International Talk Like a Pirate Day
"The software I buy sucks,  The software I write sucks.  It's time to give up and have a beer..." - Me

RE: Just when you thought it safe to go into the water . . .

MasterRacker,

Out of curiosity (as I couldn't tell from reading the reports so far), what's a real world example of what could be affected?  I mean is this something that is used in multiple different applications, or is it just a more server-specific thing, or what?  I'm not sure I understand it at this point.

Thanks for any other references, insights, opinions, etc.

RE: Just when you thought it safe to go into the water . . .

Not the original person being responded, but...

This actually is a pretty nasty hole that was found.  It's a lot like the other LNK holes.  Just change the LNK file a little bit, point it to your DLL and then it's off to the races on whatever you want to do.  In effect, it's a universal drive-by type hole a hacker can use to make anything happen.  Seems to effect everything, too.

More details and more links can be found in the following forum post:

http://www.msfn.org/board/topic/145352-new-windows-lnk-vulnerability/page__pid__932179__st__0&#entry932179

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

RE: Just when you thought it safe to go into the water . . .

Kjv,

If you're asking about the Windows flaw itself, Glen covered it.  Any Windows system anywhere could be subverted to do anything.

If you're asking about SCADA systems, those are the control systems for industrial automation.  Robotic assembly lines, chemical processing plants, water treatment plants, power plants, etc.  Compromise the system and you're controlling the plant.

Jeff
It's never too early to begin preparing for International Talk Like a Pirate Day
"The software I buy sucks,  The software I write sucks.  It's time to give up and have a beer..." - Me

RE: Just when you thought it safe to go into the water . . .

I was asking about the SCADIA piece.  So, desktop computers not at risk on that one, but I think I'd rather desktop computers were at risk than what IS at risk there.  That's a really scary perspective.

And kinda makes me think of a particular Bible verse that might well be worth applying in our day:

Quote:

Prov 5:15 (KJV)
15 Drink waters out of thine own cistern, and running waters out of thine own well.
The primary use of that verse would be to be taken spiritually, I believe, however taking it literally in a physical sense right now would not be a bad idea. wink

RE: Just when you thought it safe to go into the water . . .

That Siemens system is quite specific. Most of their SCADA system run under any normal PC Operating system.
What I am saying is that vunerability is not going to be bringing down all of the worlds industrial automation systems.
  

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

RE: Just when you thought it safe to go into the water . . .

That's definitely good to know.  I hope our nearest nuclear power plant isn't using one of those systems. spineyes

RE: Just when you thought it safe to go into the water . . .

And the fix is available........... when???   Now??  Sooner than now, please.   I'm wondering if they this is such a basic function of Windows that it might not be patchable.

RE: Just when you thought it safe to go into the water . . .

2
(OP)
Windows has issued a "Fix It". Unfortunately, it disables all shortcut links. See this article for more info. This is a temporary patch and not a true fix. I suspect that since this effects so many Window versions that it is deep in the bowels of core code so a true fix may take some time.
 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Just when you thought it safe to go into the water . . .

So, is this where they call Bill Gates, and say, Bill, who was it you bought the source from?  We need to see them NOW! wink

RE: Just when you thought it safe to go into the water . . .

Quote (sggaunt):

What I am saying is that vunerability is not going to be bringing down all of the worlds industrial automation systems.
Not easily.  I think the point of targeting the Siemens system is that it has a known admin password that can't be changed.  With other SCADA systems, the underlying Windows can be compromised, but the the hacker still needs to figure out how to hack the SCADA itself after getting access to the underlying OS.  In addition, most SCADA systems are isolated to private VLANS or even physically separate LANS to help protect them.

If you like the "we're all gonna DIE!" stories, here's a couple:
http://www.theregister.co.uk/2009/02/05/areva_scada_security_bugs/
http://www.theregister.co.uk/2008/09/25/abb_critical_bug/
And an opposing view:
http://www.wired.com/dangerroom/2010/07/hacking-the-electric-grid-you-and-what-army/

As far as the Windows flaw goes, the icon fetching mechanism is probably pretty well baked in, probably in a number of places.  It'll take some work to patch without breaking things I would guess.

 

Jeff
It's never too early to begin preparing for International Talk Like a Pirate Day
"The software I buy sucks,  The software I write sucks.  It's time to give up and have a beer..." - Me

RE: Just when you thought it safe to go into the water . . .

That "Fix It" from Microsoft is quite funny. From the computerworld.com article 2ffat pointed to, explaining the fix:

Quote:

the tool ... is only a makeshift defense, one that many users may resist applying, since it makes much of the Windows system, including the desktop, taskbar and Start menu, almost unusable
Baahhh, who uses the desktop, taskbar and Start menu anyway? Command Prompt all the way, baby.

RE: Just when you thought it safe to go into the water . . .

Quote:

Baahhh, who uses the desktop, taskbar and Start menu anyway? Command Prompt all the way, baby.

We all know that deep down, even the Microsoft developers are a bunch of Command Line Interface Terrorists. tongue
 

RE: Just when you thought it safe to go into the water . . .

Quote:

SCADA systems are isolated to private VLANS or even physically separate LANS to help protect them.

In fact the networks used are extremely diverse, use of TCP/IP is a very new concept in this field.
Proprietary Fieldbus networks like (Siemens own) Profibus or Devicenet are far more common, and there are many, many more systems and protocols all running on specialised hardware (PC's need to be fitted with interface cards), Bus level control is usually done by a PLC.
Hacking this sort of thing is a non starter as there is virtually no standardisation.

http://en.wikipedia.org/wiki/List_of_automation_protocols

In fact I wrote the Modbus control panel interface firmware running in softstarters at least one UK power station.
A second MODbus port connects the starter to a Devicenet 'gateway' module, that links back to a PLC and that is connected by ethernet to a PC running SCADA software, no doubt it has an Internet connection.
So if anyone thinks they can remotely change the underlying functionality of the firmware running on the starters, be my guest!
 

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

RE: Just when you thought it safe to go into the water . . .

Steve, I'm not disputing the security of the automation networks.  Even in your system though, what if someone could get through the LAN, connect to the SCADA PC and was able log in to the SCADA software with operator privleges?  Bet they could do some 'entertaining' things.  

Granted even that is not 'easy' but it is conceivable.

Jeff
It's never too early to begin preparing for International Talk Like a Pirate Day
"The software I buy sucks,  The software I write sucks.  It's time to give up and have a beer..." - Me

RE: Just when you thought it safe to go into the water . . .

Quote (MasterRacker):

If you like the "we're all gonna DIE!" stories, here's a couple:
Thanks, those links will provide some interesting reading.

And a very interesting discussion to be sure.  I've always been curious as to how such things as the utilites run, with modern technology and all...

Reading the high level details from sggaunt definitely puts some fears at least partially at ease.  Wait a minute... maybe TOO much at ease!  SURPRISE

RE: Just when you thought it safe to go into the water . . .

More good news:
http://www.computerworld.com/s/article/9179512/Microsoft_warns_of_Windows_shortcut_drive_by_attacks

Quote:

In the revised security advisory published yesterday Microsoft acknowledged the new attack vector.

"An attacker could also set up a malicious Web site or a remote network share and place the malicious components on this remote location," the company said in the advisory. "When the user browses the Web site using a Web browser such as Internet Explorer or a file manager such as Windows Explorer, Windows will attempt to load the icon of the shortcut file, and the malicious binary will be invoked."

That language was a change from earlier statements by Microsoft, which had said that attackers could hijack Windows PC by setting up a remote network share, a much more complicated task than building a malware-spreading Web site. In the earlier advisory, Microsoft also said that "the malicious binary may be invoked; the most recent warning instead said "the malicious binary will be invoked [emphasis added in both cases].

RE: Just when you thought it safe to go into the water . . .

Yeah, that's not good.

RE: Just when you thought it safe to go into the water . . .

I'll worry about all this.... later.   Today is a fine day.

RE: Just when you thought it safe to go into the water . . .

Here's a little more detail.  It isn't the SCADA networks per se that are targeted, rather the Windows hosted SCADA control PCs.
http://www.theregister.co.uk/2010/07/22/siemens_scada_worm/
http://www.theregister.co.uk/2010/07/23/win_shortcut_vuln_goes_mainstream/

Unfortunately, this article also mentions that documents with embedded links (Word, PDF, etc.) can also be used to nail you.

There's only one solution: cheers cheers

 

Jeff
It's never too early to begin preparing for International Talk Like a Pirate Day
"The software I buy sucks,  The software I write sucks.  It's time to give up and have a beer..." - Me

RE: Just when you thought it safe to go into the water . . .

Am I understanding correctly: if Windows Explorer (or any other program) asks Windows to retrieve the icon belonging to a target program, instead of just retrieving the picture in a static sense, Windows runs code from the target program to provide the icon?
 

RE: Just when you thought it safe to go into the water . . .

Solution
p p p pickup a penguin smile

RE: Just when you thought it safe to go into the water . . .

Quote:


Am I understanding correctly: if Windows Explorer (or any other program) asks Windows to retrieve the icon belonging to a target program, instead of just retrieving the picture in a static sense, Windows runs code from the target program to provide the icon?

More specifically, icons are defined resources in executable files.  This means that you aren't retrieving the picture in a static sense, but calling an API (IShellLinkA/IShellLinkW) to load the executable and find the resource in question.  

As I understand it, there's already been a different, patched exploit to do this with executable files.  But the specific one here involves DLL files.  Now what happens is that the LNK file, which contains information referencing a shortcut target, is changed slightly so that instead of making reference to an icon for the DLL through the LNK file, it loads the DLL.  In loading the DLL it executes the main loading sequence of the DLL.  Hence your exploit.

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

RE: Just when you thought it safe to go into the water . . .

Glen,  Is it the LNK file itself that's crafted differently?  I thought it was the DLL that's modified so that the internal pointer went to the executable code instead of the icon image.

Jeff
It's never too early to begin preparing for International Talk Like a Pirate Day
"The software I buy sucks,  The software I write sucks.  It's time to give up and have a beer..." - Me

RE: Just when you thought it safe to go into the water . . .

Quote:


Glen,  Is it the LNK file itself that's crafted differently?  

Yes.  If you reference the link I posted in this thread, you'll see the details of it.  The main contents of that forum post being someone trying to prove if you can do the exploit with 95/98/ME - the answer is yes if you make the LNK ANSI instead of Unicode.

There is nothing different or strange regarding the DLL file and this file can be created in an unmodified fashion using any development environment.

 

It is not possible for anyone to acknowledge truth when their salary depends on them not doing it.

RE: Just when you thought it safe to go into the water . . .

(OP)
I feel like I'm in the middle of a soap opera for some reason. Sophos has released a free tool that will work with any AV program. I haven't tested it so I can't verify if it works or what any adverse effects may be but it seems better than Microsoft's solution.
 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Just when you thought it safe to go into the water . . .

Excellent, James!
I've just checked this link and it does sound excellent.
I've installed it and it does create a little lag in displaying icons, but it is really just a little one.
Some few icons are not recognized, but I can really live with that - much much better than with the M$ "fix" (cripple).

thumbsup2

"We had to turn off that service to comply with the CDA Bill."
- The Bastard Operator From Hell

RE: Just when you thought it safe to go into the water . . .

But worrying that Microsoft can't/won't/haven't come up with anything?

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

RE: Just when you thought it safe to go into the water . . .

(OP)
But wait! There's more! Conspiracy buffs will have a field day with this article

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Just when you thought it safe to go into the water . . .

(OP)
MS has released a fix! Not much info yet so will have to see what exactly it does.

 

James P. Cottingham
I'm number 1,229!
I'm number 1,229!

RE: Just when you thought it safe to go into the water . . .

James, We do know it makes you reboot.  What a surprise.  ROFL

Jeff
It's never too early to begin preparing for International Talk Like a Pirate Day
"The software I buy sucks,  The software I write sucks.  It's time to give up and have a beer..." - Me

RE: Just when you thought it safe to go into the water . . .

What is more worriying is the fact that they though running 3rd party software just to create an icon was a good idea in the first place!

RE: Just when you thought it safe to go into the water . . .

Just my oldest XP box to do now.
All well so far, except the update knocked over crypsvc (again) on the Vista machine, but it was OK  after a second re-boot.

Just trying to work out why 'Problem Reports' says there is a fix avalible, but there isnt!

Steve: N.M.N.F.
If something is popular, it must be wrong: Mark Twain

RE: Just when you thought it safe to go into the water . . .

IPGuru, I am sooooo glad you wrote that. I can't help but feel that half the security issues we get into now are because someone thought that expandable do-everything design was a really good idea, and forgot that it carries a price: someone might make it do something the designer didn't think of. As a non-programmer I didn't dare think.

For goodness' sake, a shortcut and an icon should never have been more than what they are: a single reference to a program, and a picture.

RE: Just when you thought it safe to go into the water . . .

> Is it the LNK file itself that's crafted differently?  I thought it was the DLL that's modified so that the internal pointer went to the executable code instead of the icon image

No, the LNK file is still a standard, normal LNK file (as a side note, MS removed their documentation for LNK files from MSDN subsequent to this exploit being made public; a copy of it is located here)

No, no DLL modified or pointer changed

The issue is that, under certain circumstances (and this is where the 'specially crafted' that most of the advisories mention comes in), the Shell - not the shortcut - calls LoadLibrary against the file that is supposed to contain the icon used by the shortcut (a DLL). LoadLibrary in turn causes the DLL's (optional) DLLMain entry point to be called - so if we write the DLL we can put our own arbitary code into DLLMain - which will get run any time that the shell (or utilities making use of shell APIs) wants to display the icon.

Red Flag This Post

Please let us know here why this post is inappropriate. Reasons such as off-topic, duplicates, flames, illegal, vulgar, or students posting their homework.

Red Flag Submitted

Thank you for helping keep Tek-Tips Forums free from inappropriate posts.
The Tek-Tips staff will check this out and take appropriate action.

Reply To This Thread

Posting in the Tek-Tips forums is a member-only feature.

Click Here to join Tek-Tips and talk with other members! Already a Member? Login

Close Box

Join Tek-Tips® Today!

Join your peers on the Internet's largest technical computer professional community.
It's easy to join and it's free.

Here's Why Members Love Tek-Tips Forums:

Register now while it's still free!

Already a member? Close this window and log in.

Join Us             Close