Vulnerabilities > CVE-2015-0096 - Untrusted Search Path vulnerability in Microsoft products
Attack vector
NETWORK Attack complexity
MEDIUM Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Leveraging/Manipulating Configuration File Search Paths This attack loads a malicious resource into a program's standard path used to bootstrap and/or provide contextual information for a program like a path variable or classpath. J2EE applications and other component based applications that are built from multiple binaries can have very long list of dependencies to execute. If one of these libraries and/or references is controllable by the attacker then application controls can be circumvented by the attacker. A standard UNIX path looks similar to this If the attacker modifies the path variable to point to a locale that includes malicious resources then the user unwittingly can execute commands on the attackers' behalf: This is a form of usurping control of the program and the attack can be done on the classpath, database resources, or any other resources built from compound parts. At runtime detection and blocking of this attack is nearly impossible, because the configuration allows execution.
Exploit-Db
description Microsoft Windows - LNK Shortcut File Code Execution. CVE-2017-8464. Local exploit for Windows platform file exploits/windows/local/42429.py id EDB-ID:42429 last seen 2017-08-06 modified 2017-08-06 platform windows port published 2017-08-06 reporter Exploit-DB source https://www.exploit-db.com/download/42429/ title Microsoft Windows - LNK Shortcut File Code Execution type local description Microsoft Windows Automatic LNK Shortcut File Code Execution. CVE-2010-2568,CVE-2015-0096. Local exploit for windows platform id EDB-ID:14403 last seen 2016-02-01 modified 2010-07-18 published 2010-07-18 reporter Ivanlef0u source https://www.exploit-db.com/download/14403/ title Microsoft Windows - Automatic LNK Shortcut File Code Execution description Microsoft Windows - LNK Shortcut File Code Execution (Metasploit). CVE-2017-8464. Local exploit for Windows platform file exploits/windows/local/42382.rb id EDB-ID:42382 last seen 2017-07-26 modified 2017-07-26 platform windows port published 2017-07-26 reporter Exploit-DB source https://www.exploit-db.com/download/42382/ title Microsoft Windows - LNK Shortcut File Code Execution (Metasploit) type local
Metasploit
description This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. If no PATH is specified, the module will use drive letters D through Z so the files may be placed in the root path of a drive such as a shared VM folder or USB drive. id MSF:EXPLOIT/WINDOWS/FILEFORMAT/CVE_2017_8464_LNK_RCE last seen 2020-06-12 modified 2019-08-15 published 2017-07-25 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
- http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
- https://msdn.microsoft.com/en-us/library/dd871305.aspx
- http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/cve_2017_8464_lnk_rce.rb title LNK Code Execution Vulnerability description This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. id MSF:EXPLOIT/WINDOWS/SMB/MS15_020_SHORTCUT_ICON_DLLLOADER last seen 2020-05-28 modified 2017-07-24 published 2015-03-12 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/smb/ms15_020_shortcut_icon_dllloader.rb title Microsoft Windows Shell LNK Code Execution description This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed. id MSF:EXPLOIT/WINDOWS/FILEFORMAT/MS15_020_SHORTCUT_ICON_DLLLOADER last seen 2020-06-10 modified 2017-07-24 published 2015-03-11 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/fileformat/ms15_020_shortcut_icon_dllloader.rb title Microsoft Windows Shell LNK Code Execution description This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%. id MSF:EXPLOIT/WINDOWS/LOCAL/CVE_2017_8464_LNK_LPE last seen 2020-06-13 modified 2019-05-31 published 2017-10-03 references - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8464
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-8464
- http://www.vxjump.net/files/vuln_analysis/cve-2017-8464.txt
- https://msdn.microsoft.com/en-us/library/dd871305.aspx
- http://www.geoffchappell.com/notes/security/stuxnet/ctrlfldr.htm
- https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-cpl-malware.pdf
reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/local/cve_2017_8464_lnk_lpe.rb title LNK Code Execution Vulnerability
Msbulletin
bulletin_id | MS15-020 |
bulletin_url | |
date | 2015-03-10T00:00:00 |
impact | Remote Code Execution |
knowledgebase_id | 3041836 |
knowledgebase_url | |
severity | Critical |
title | Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution |
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS15-020.NASL |
description | The remote Windows host is missing a security update. It is, therefore, affected by the following vulnerabilities : - A remote code execution vulnerability exists in Windows Text Services due to improper handling of objects in memory. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted website or open a specially crafted file, resulting in the execution of arbitrary code. (CVE-2015-0059) - A remote code execution vulnerability exists due to improper loading of DLL files. A remote attacker can exploit this vulnerability by convincing a user to visit a specially crafted website or remote network share, resulting in the execution of arbitrary code. (CVE-2015-0096) (EASYHOOKUP) EASYHOOKUP is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers. |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 81735 |
published | 2015-03-10 |
reporter | This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/81735 |
title | MS15-020: Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (3041836) (EASYHOOKUP) |
code |
|
Packetstorm
data source https://packetstormsecurity.com/files/download/130801/windows-smb-ms15_020_shortcut_icon_dllloader.rb.txt id PACKETSTORM:130801 last seen 2016-12-05 published 2015-03-12 reporter juan vazquez source https://packetstormsecurity.com/files/130801/Microsoft-Windows-Shell-SMB-LNK-Code-Execution.html title Microsoft Windows Shell SMB LNK Code Execution data source https://packetstormsecurity.com/files/download/144927/cve_2017_8464_lnk_lpe.rb.txt id PACKETSTORM:144927 last seen 2017-11-09 published 2017-11-08 reporter Yorick Koster source https://packetstormsecurity.com/files/144927/Microsoft-Windows-LNK-File-Code-Execution.html title Microsoft Windows LNK File Code Execution data source https://packetstormsecurity.com/files/download/130800/windows-fileformat-ms15_020_shortcut_icon_dllloader.rb.txt id PACKETSTORM:130800 last seen 2016-12-05 published 2015-03-12 reporter juan vazquez source https://packetstormsecurity.com/files/130800/Microsoft-Windows-Shell-File-Format-LNK-Code-Execution.html title Microsoft Windows Shell File Format LNK Code Execution data source https://packetstormsecurity.com/files/download/143623/mswinlnk-exec.rb.txt id PACKETSTORM:143623 last seen 2017-08-02 published 2017-08-01 reporter Yorick Koster source https://packetstormsecurity.com/files/143623/Microsoft-Windows-LNK-Shortcut-File-Code-Execution.html title Microsoft Windows LNK Shortcut File Code Execution