Vektor's shell32 patch for .LNK vulnerability

[Ninho]

Not sure if this has been posted elsewhere on site : "Vektor" has a great patch

for the .lnk vulnerability. In addition to Windows 2000 (SP1 and SP4 at the moment),

his simple and effective patch applies to Windows XP all versions.

http://nemesis.te-home.net/News/20100723_Patch_for_0day__LNK_file_handling_vulnerability_up.html

Clean and recommended.

Vektor also patched win32k.sys for the CreateDIBPalette vuln,

applicable to Win 2k and XP (all service packs).

Just browse nemesis.te-home.net for the latter, and lots more goodies!

[Tripredacus]

No fix for Windows 98?

[Ninho]

No fix for Windows 98?

Not by Vektor. Before looking for a patch however... is Windows 9x known to be affected ?

.lnk / .pif on NT have extended options unavailable on DOS-based Windowzes, and I think the exploit

relies on the new capabilities. Not 100% sure, did you (you all) check this point ?

[Tripredacus]

Yes, there is a topic in the Win9x section too:

[WildBill]

Hmm. If I'd checked the forum this might have saved me some effort. Anyhow, I also tried to put together a patch for the LNK vulnerability. It's done the "standard" way, with the main exception being that it doesn't use a signed update since I couldn't figure out how to sign it. This is the first time I've attempted making a patch for Windows, so this is really new territory for me.

I've tried it in a VM and I'm not seeing any problems, but I also don't really know for certain that this closes the security hole. If anyone knows how to verify it I'd appreciate it. I tried a proof-of-concept of the vulnerability and the patch seems to block it, but I can't claim to be knowledgeable about the details of the security hole beyond that it somehow masquerades as a Control Panel link. When installed, the version of shell32.dll will bump up to 5.0.3900.7156 so you can tell if it's installed.

Windows2000-KB2286198-x86-ENU.EXE

"Use at your own risk" goes without saying until someone here can hopefully validate it.

[WildBill]

While my patch seems to work, I've found a problem where I should have put relocation entries in it but didn't. This means that the DLL could crash if the PE loader doesn't put it at its preferred address. While this is unlikely, I'm working on an update with proper relocation entries added. That would ensure that the DLL would work wherever the PE loaded put it. I plan on releasing the update as soon as it's ready.

[WildBill]

I've fixed my patch and uploaded v2 here:

Windows2000-KB2286198-v2-x86-ENU.EXE

This has proper relocation info for the code I added and should eliminate the (unlikely) possibility of a crash. Nonetheless, I strongly recommend installing this one. If you already installed my earlier patch this one will install over it just fine. Once installed, shell32.dll will show version 5.0.3900.7157.

Enjoy...

[Ninho]

I've fixed my patch ... Once installed, shell32.dll will show version 5.0.3900.7157.

Enjoy...

Hi! That's all very good and well, so... did you get reports of your patch ? Own tests ? Does it nuke the vulnerabilty altogether? Does it eliminate the need for Vektor's (the original subject) ? And which method is superior, if any ?

[WildBill]

I tested it using the POC code that blackwingcat pointed to:

Beyond that I haven't heard any reports one way or the other. I'm running it on my box (not just in a VM, but in the normal OS installation) and I've experienced no problems. I'd certainly appreciate any reports of usage or any form of independent assessment.

I haven't tried Vektor's patch, so I'm reluctant to evaluate one against the other. His has the plus of being applicable to multiple OS'es, whereas mine is for Win2k only. On the other hand, my patch is slipstreamable like any other MS hotfix. That's not to say that Vektor's isn't -- it might be, I haven't tried it.

On another note, for the past few weeks I've been prepping to build a backported patch for MS10-054 (KB982214: Vulnerabilities in SMB Server Could Allow Remote Code Execution). I've boiled it down to 5 routines that have to be patched and a small one that has to be added. The tough part has been the logistics of actually building a patch, though I've got my PE tool almost to the point where I can use it to make the patch. Basically I'm using IDA for the analysis part and my own tool for the patching part. Once it's ready I plan on releasing that patch as well as my PE tool. Then I'd like to move on to MS10-049 (KB980436: Vulnerabilities in SChannel Could Allow Remote Code Execution). I have no plans to switch away from Win2k any time soon, and I don't like the idea of having those holes unpatched.

[bristols]

So we have at least three fixes: Vektor's, the LinkIconShim, and now one provided by WildBill. Which to use? I don't know how to decide.

Can anyone vouch for any of these? Can anyone help allay any default scepticism / suspicions regarding the trustworthiness of any of these patches? For example, who is Vektor? These kind of reassurances will help me decide.

[Ninho]

Can anyone vouch for any of these?

... For example, who is Vektor? These kind of reassurances will help me decide.

Who Vektor is - obviously a good programmer/hacker... But it doesn't matter

who he is : for the patch in question is explained on the Kamelite site (links in the OP),

and it is nice and simple enough you and I can 1. understand the theory and

2. verify the practical implementation does what it said it would (binary

differencing the "before" and "after" shell32).

I feel safer running this Vektor's patch in Win 2k than running the MS "fix"

under Win XP in fact !!! Not that I suspect MS would voluntarily borg things

(albeit...), but Vektor's method solves the problem at the root and in a documented

way, plus it's simple and elegant, whereas what MS's patch does is undocumented,

and history teaches us their patches often are unnecessarily obscure and complicated,

treating the symptoms (i.e., reported exploits) rather than the root cause : thus

leaving the door open to the next exploit, next patch etc... UNTIL "end of support"

& you are advised to go shopping for the next Windows version : this is about all

their is to the "Windows Update" scam ;=)

But this is just me... Oh, and I'm running with shell32 patched per Vektor since day 1

- it just works ;=)

Edited September 17, 2010 by Ninho

[erpdude8]

I've fixed my patch and uploaded v2 here:

Windows2000-KB2286198-v2-x86-ENU.EXE

This has proper relocation info for the code I added and should eliminate the (unlikely) possibility of a crash. Nonetheless, I strongly recommend installing this one. If you already installed my earlier patch this one will install over it just fine. Once installed, shell32.dll will show version 5.0.3900.7157.

Enjoy...

sorry WildBill, dead link to your V2 patch (now produces error message "invalid or deleted file" at mediafire site). please post it on another download site.

in the meantime, I'll use Vektor's patch instead.

Edited October 15, 2010 by erpdude8

[bristols]

@erpdude8

WildBill's patch is now at Version 3. It's here:

Windows2000-KB2286198-v3-x86-ENU.EXE

Check this post for a whole slew of further post-EOL patches for Windows 2000:

The thread to which I just linked really needs to be made a sticky!!

@WildBill

I've been meaning to say: utterly fantastic work! All power to you! Do you intend to keep this up? I really hope the answer is positive.

[dencorso]

Check this post for a whole slew of further post-EOL patches for Windows 2000:

The thread to which I just linked really needs to be made a sticky!!

True! Done!

[erpdude8]

@erpdude8

WildBill's patch is now at Version 3. It's here:

Windows2000-KB2286198-v3-x86-ENU.EXE

Check this post for a whole slew of further post-EOL patches for Windows 2000:

The thread to which I just linked really needs to be made a sticky!!

excellent. I've recently removed Vektor's shell32 fix and have applied Wildbill's win2k shell32 V3 patch.

so far, no problems with the V3 shell32 fix.