Software Engineering Institute

Microsoft Windows supports the use of shortcut or LNK files. A LNK file is a reference to a local file. Clicking on a LNK or file has essentially the same outcome as clicking on the file that is specified as the shortcut target. For example, clicking a shortcut to calc.exe will launch calc.exe, and clicking a shortcut to readme.txt will open readme.txt with the associated application for handling text files.

Microsoft Windows fails to safely obtain icons for shortcut files. When Windows displays Control Panel items, it will initialize each object for the purpose of providing dynamic icon functionality. This means that a Control Panel applet will execute code when the icon is displayed in Windows. Through use of a shortcut file, an attacker can specify a malicious DLL that is to be processed within the context of the Windows Control Panel, which will result in arbitrary code execution. The specified code may reside on a USB drive, local or remote filesystem, a CD-ROM, or other locations. Viewing the location of a shortcut file with Windows Explorer is sufficient to trigger the vulnerability. Other applications that display file icons can be used as an attack vector for this vulnerability as well.

The origin of this vulnerability is outlined in VU#940193 (CVE-2010-2568). The fix for CVE-2010-2568 and the subsequent fix for CVE-2015-0096 are both insufficient in that they not take into account LNK files that use the SpecialFolderDataBlock or KnownFolderDataBlock attributes to specify the location of a folder. Such files are able to bypass the whitelisting first implemented in the fix for CVE-2010-2568.

Exploit code for this vulnerability is publicly available.

By convincing a user to display a specially-crafted shortcut file, an attacker may be able to execute arbitrary code with the privileges of the user. Depending on the operating system and AutoRun/AutoPlay configuration, this can happen automatically by connecting a USB device.

Apply an update

This issue is addressed in the Microsoft Update for CVE-2017-8464.

Block outgoing SMB traffic

Block outgoing connections on ports 139/tcp, 139/udp, 445/tcp, and 445/udp at your network perimeter. Doing so will help prevent machines on the local network from connecting to SMB servers on the internet. While this does not remove the vulnerability, it does block an attack vector for this and other vulnerabilities.

Disable WebDAV

Even if outgoing SMB traffic is disabled, Windows clients can still connect to network shares using the WebDAV protocol, which uses HTTP as a transport. WebDAV can be disabled at various layers, depending on the requirements of your organization:

At the client

To disable WebDAV on a Windows client, set the Startup type property for the WebClient service to Disabled. Note that this may interfere with the ability to access features that utilize WebDAV, such as some aspects of Microsoft SharePoint.

On the network

WebDAV can be blocked at the network level by blocking the methods used by the WebDAV extension to HTTP. See Blocking WebDAV methods for an example of how to accomplish this. Check with your firewall vendor for more details.