Today, at Wild West Hackin' Fest, security researcher Wietze Beukema disclosed multiple vulnerabilities in Windows LK shortcut files that allow attackers to deploy malicious payloads.
Beukema documented four previously unknown techniques for manipulating Windows LNK shortcut files to hide malicious targets from users inspecting file properties.
LNK shortcuts were introduced with Windows 95 and use a complex binary format that allows attackers to create deceptive files that appear legitimate in Windows Explorer's properties dialog but execute entirely different programs when opened.
The discovered issues exploit inconsistencies in how Windows Explorer prioritizes conflicting target paths specified across multiple optional data structures within shortcut files.
The most effective variants use forbidden Windows path characters, such as double quotes, to create seemingly valid but technically invalid paths, causing Explorer to display one target while executing another, while another uses non-conforming LinkTargetIDList values to execute a path other than the one displayed in the LinkInfo field.
"This results in the strange situation where the user sees one path in the Target field, but upon execution, a completely other path is executed. Due to the field being disabled, it is also possible to "hide" any command- line arguments that are provided," Beukema said.
The most powerful technique identified involves manipulating the EnvironmentVariableDataBlock structure within LNK files. By setting only the ANSI target field and leaving the Unicode field empty, attackers can display a fake target such as "invoice.pdf" in the properties window while actually executing PowerShell or other malicious commands.
"Opening the LNK executes the "actual" target immediately, not having to open it twice. Additionally, because in this case the spoofed target is in TargetIdList and the actual target in EnvironmentVariableDataBlock, the actual target may utilise environment variables," Beukema explained.
"The target program/file/directory is completely spoofed," and "any command-line arguments are hidden," the researcher also noted, which makes detection extremely difficult for users.
This is possible because, as Beukema said, Windows Explorer will treat all these malformed LNK shortcuts forgivingly, displaying spoofed information rather than rejecting invalid files.
... continue reading