Microsoft LNK Vulnerability Brief Technical Analysis(CVE-2010-2568)【windowsLNK快捷方式漏洞分析】

2010-07-23 15:06

转载自 孤客持情剑

最终编辑 孤客持情剑

第一次挫劣的翻译，感谢google翻译，感谢有道词典（划词翻译），这个漏洞触发的原因是特殊构造的快捷方式加载CPL图标的时候会意外的直接通过 “LoadLibraryW”函数加载dll文件（本来只是想加载文件的资源的但是没有判断这个dll文件是否是特殊的CPL文件，结果直接把恶意的dll文件直接加载了）从而导致用户通过资源管理器浏览器的时候触发漏洞，实际上是一种微软设计上的缺陷，没有很好的检查文件的安全性 PS：貌似微软安全公告里面指出PIF文件也受影响 原文链接： http://community.websense.com/blogs/securitylabs/archive/2010/07/20/microsoft-lnk-vulnerability-brief-technical-analysis-cve-2010-2568.aspx A few days ago, an exploit used for highly targeted attacks was published here: CVE-2010-2568 Lnk shortcut. As the blog post, and other posts, state, this is caused by Windows Control Panel's shortcut image display routine. The original blog post shows a stack trace of the exploit results, which also serves to explain the vulnerability. 几天前， 一个用来进行高危漏洞发布：CVE-2010-2568（快捷方式）漏洞，大家在博客讨论的时候，指出这个漏洞引发的原因是windows 控制面板快捷方式图片显示例程。 最初发布的博客显示了漏洞执行的堆栈跟踪的结果，同样解释了漏洞触发的原理   The nature of the vulnerability is pretty clear. But out of curiosity we did some reverse engineering and here is what we have found. The bug itself is a design flaw as stated by many people and it's very straightforward to locate the point where it happens. The vulnerable file is shell32.dll and the vulnerable routines are Control Panel-related. We loaded the binary on a disassembler and found that the Control Panel file-related routines start with a “CPL_” prefix. 这 个漏洞的原理已经非常清晰。但是处于好奇我们还是做了很多逆向工程，以下就是我们所发现的东东。这个漏洞本身就像是大家说的那样是设计上的缺陷，非常简单 就找到了问题发生的位置。存在威胁的文件是shell32.dll和存在威胁的控制面板文件相关例程。我们加载了二进制的文件进行反编译，发现控制面板文 件相关的例程以“CPL_”作为前缀。 Drawing 1 shows the relations between CPL initialization routines and data flow. The red “LoadLibraryW” API is the vulnerable one 图1,显示了CPL初始化例程和数据流。红色标记的 “LoadLibraryW”函数就是触发漏洞的关键 图 1: 程序执行流程和数据流 The icon extraction routine calls “CPL_FindCPLInfo” to find the icon information of the target file. The “CPL_FindCPLInfo” routine is basically a wrapper around all CPL-related routines. The loading and initialization of the CPL module is performed before getting any information out of it. One of the initialization routines, “_LoadCPLModule”, calls the “LoadLibraryW” API to load the target CPL dll for future use. The module handle acquired from this call is used later in the “_InitializeControl” routine with the “LoadImage” API. There are ways to acquire an icon handle from a dll without loading it, but in this case the programmer chose to load the target dll for some reason, which opens the vulnerability. ICO获取例程执行 “CPL_FindCPLInfo”函数去获得目标程序的ICO信息。 “CPL_FindCPLInfo”例程是CPL相关所有例程的封装。CPL模块加载并且初始化执行之前，通过这个例程获取所有CPL信息。其中一个初始化例程 “_LoadCPLModule”调用了 “LoadLibraryW”加载目标CPL（CPL实际上是特殊的dll文件）以便之后使用。 “LoadLibraryW”函数调用以后返回的句柄，之后会被 “_InitializeControl” 例程和“LoadImage” 函数使用。这种方式可以获得dll文件的图标句柄并且不需要加载它，但是在特殊情况下程序员人为选择直接加载存在恶意的目标DLL It looks like the security side-effects of one module are not evaluated fully before it's combined with other modules. 这看起来它和其它模块协作之前，这个组件没有充分的进行安全评估 We recommend following this Microsoft security advisory to disable icon display or the WebClient service until a patch for this flaw is released. 我们推荐大家按照微软安全公告里面说的那样，禁止ICO显示或者关闭 WebClient服务知道微软发布补丁修复这个漏洞