Ninho Posted August 13, 2010 Share Posted August 13, 2010 Not sure if this has been posted elsewhere on site : "Vektor" has a great patch for the .lnk vulnerability. In addition to Windows 2000 (SP1 and SP4 at the moment),his simple and effective patch applies to Windows XP all versions.http://nemesis.te-home.net/News/20100723_Patch_for_0day__LNK_file_handling_vulnerability_up.htmlClean and recommended. Vektor also patched win32k.sys for the CreateDIBPalette vuln, applicable to Win 2k and XP (all service packs).Just browse nemesis.te-home.net for the latter, and lots more goodies! Link to comment Share on other sites More sharing options...
Tripredacus Posted August 13, 2010 Share Posted August 13, 2010 No fix for Windows 98? Link to comment Share on other sites More sharing options...
Ninho Posted August 13, 2010 Author Share Posted August 13, 2010 No fix for Windows 98?Not by Vektor. Before looking for a patch however... is Windows 9x known to be affected ? .lnk / .pif on NT have extended options unavailable on DOS-based Windowzes, and I think the exploit relies on the new capabilities. Not 100% sure, did you (you all) check this point ? Link to comment Share on other sites More sharing options...
Tripredacus Posted August 18, 2010 Share Posted August 18, 2010 Yes, there is a topic in the Win9x section too: Link to comment Share on other sites More sharing options...
WildBill Posted August 28, 2010 Share Posted August 28, 2010 Hmm. If I'd checked the forum this might have saved me some effort. Anyhow, I also tried to put together a patch for the LNK vulnerability. It's done the "standard" way, with the main exception being that it doesn't use a signed update since I couldn't figure out how to sign it. This is the first time I've attempted making a patch for Windows, so this is really new territory for me.I've tried it in a VM and I'm not seeing any problems, but I also don't really know for certain that this closes the security hole. If anyone knows how to verify it I'd appreciate it. I tried a proof-of-concept of the vulnerability and the patch seems to block it, but I can't claim to be knowledgeable about the details of the security hole beyond that it somehow masquerades as a Control Panel link. When installed, the version of shell32.dll will bump up to 5.0.3900.7156 so you can tell if it's installed.Windows2000-KB2286198-x86-ENU.EXE"Use at your own risk" goes without saying until someone here can hopefully validate it. Link to comment Share on other sites More sharing options...
WildBill Posted September 9, 2010 Share Posted September 9, 2010 While my patch seems to work, I've found a problem where I should have put relocation entries in it but didn't. This means that the DLL could crash if the PE loader doesn't put it at its preferred address. While this is unlikely, I'm working on an update with proper relocation entries added. That would ensure that the DLL would work wherever the PE loaded put it. I plan on releasing the update as soon as it's ready. Link to comment Share on other sites More sharing options...
WildBill Posted September 10, 2010 Share Posted September 10, 2010 I've fixed my patch and uploaded v2 here:Windows2000-KB2286198-v2-x86-ENU.EXEThis has proper relocation info for the code I added and should eliminate the (unlikely) possibility of a crash. Nonetheless, I strongly recommend installing this one. If you already installed my earlier patch this one will install over it just fine. Once installed, shell32.dll will show version 5.0.3900.7157.Enjoy... Link to comment Share on other sites More sharing options...
Ninho Posted September 12, 2010 Author Share Posted September 12, 2010 I've fixed my patch ... Once installed, shell32.dll will show version 5.0.3900.7157.Enjoy...Hi! That's all very good and well, so... did you get reports of your patch ? Own tests ? Does it nuke the vulnerabilty altogether? Does it eliminate the need for Vektor's (the original subject) ? And which method is superior, if any ? Link to comment Share on other sites More sharing options...
WildBill Posted September 13, 2010 Share Posted September 13, 2010 I tested it using the POC code that blackwingcat pointed to:Beyond that I haven't heard any reports one way or the other. I'm running it on my box (not just in a VM, but in the normal OS installation) and I've experienced no problems. I'd certainly appreciate any reports of usage or any form of independent assessment.I haven't tried Vektor's patch, so I'm reluctant to evaluate one against the other. His has the plus of being applicable to multiple OS'es, whereas mine is for Win2k only. On the other hand, my patch is slipstreamable like any other MS hotfix. That's not to say that Vektor's isn't -- it might be, I haven't tried it.On another note, for the past few weeks I've been prepping to build a backported patch for MS10-054 (KB982214: Vulnerabilities in SMB Server Could Allow Remote Code Execution). I've boiled it down to 5 routines that have to be patched and a small one that has to be added. The tough part has been the logistics of actually building a patch, though I've got my PE tool almost to the point where I can use it to make the patch. Basically I'm using IDA for the analysis part and my own tool for the patching part. Once it's ready I plan on releasing that patch as well as my PE tool. Then I'd like to move on to MS10-049 (KB980436: Vulnerabilities in SChannel Could Allow Remote Code Execution). I have no plans to switch away from Win2k any time soon, and I don't like the idea of having those holes unpatched. Link to comment Share on other sites More sharing options...
bristols Posted September 13, 2010 Share Posted September 13, 2010 So we have at least three fixes: Vektor's, the LinkIconShim, and now one provided by WildBill. Which to use? I don't know how to decide.Can anyone vouch for any of these? Can anyone help allay any default scepticism / suspicions regarding the trustworthiness of any of these patches? For example, who is Vektor? These kind of reassurances will help me decide. Link to comment Share on other sites More sharing options...
Ninho Posted September 17, 2010 Author Share Posted September 17, 2010 (edited) Can anyone vouch for any of these? ... For example, who is Vektor? These kind of reassurances will help me decide.Who Vektor is - obviously a good programmer/hacker... But it doesn't matterwho he is : for the patch in question is explained on the Kamelite site (links in the OP),and it is nice and simple enough you and I can 1. understand the theory and 2. verify the practical implementation does what it said it would (binary differencing the "before" and "after" shell32). I feel safer running this Vektor's patch in Win 2k than running the MS "fix" under Win XP in fact !!! Not that I suspect MS would voluntarily borg things(albeit...), but Vektor's method solves the problem at the root and in a documentedway, plus it's simple and elegant, whereas what MS's patch does is undocumented, and history teaches us their patches often are unnecessarily obscure and complicated,treating the symptoms (i.e., reported exploits) rather than the root cause : thus leaving the door open to the next exploit, next patch etc... UNTIL "end of support" & you are advised to go shopping for the next Windows version : this is about alltheir is to the "Windows Update" scam ;=)But this is just me... Oh, and I'm running with shell32 patched per Vektor since day 1- it just works ;=) Edited September 17, 2010 by Ninho Link to comment Share on other sites More sharing options...
erpdude8 Posted October 15, 2010 Share Posted October 15, 2010 (edited) I've fixed my patch and uploaded v2 here:Windows2000-KB2286198-v2-x86-ENU.EXEThis has proper relocation info for the code I added and should eliminate the (unlikely) possibility of a crash. Nonetheless, I strongly recommend installing this one. If you already installed my earlier patch this one will install over it just fine. Once installed, shell32.dll will show version 5.0.3900.7157.Enjoy...sorry WildBill, dead link to your V2 patch (now produces error message "invalid or deleted file" at mediafire site). please post it on another download site.in the meantime, I'll use Vektor's patch instead. Edited October 15, 2010 by erpdude8 Link to comment Share on other sites More sharing options...
bristols Posted October 15, 2010 Share Posted October 15, 2010 @erpdude8WildBill's patch is now at Version 3. It's here:Windows2000-KB2286198-v3-x86-ENU.EXECheck this post for a whole slew of further post-EOL patches for Windows 2000:The thread to which I just linked really needs to be made a sticky!!@WildBillI've been meaning to say: utterly fantastic work! All power to you! Do you intend to keep this up? I really hope the answer is positive. Link to comment Share on other sites More sharing options...
dencorso Posted October 15, 2010 Share Posted October 15, 2010 Check this post for a whole slew of further post-EOL patches for Windows 2000:The thread to which I just linked really needs to be made a sticky!!True! Done! Link to comment Share on other sites More sharing options...
erpdude8 Posted October 29, 2010 Share Posted October 29, 2010 @erpdude8WildBill's patch is now at Version 3. It's here:Windows2000-KB2286198-v3-x86-ENU.EXECheck this post for a whole slew of further post-EOL patches for Windows 2000:The thread to which I just linked really needs to be made a sticky!!excellent. I've recently removed Vektor's shell32 fix and have applied Wildbill's win2k shell32 V3 patch.so far, no problems with the V3 shell32 fix. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now