linkiconshim

windows shell extension fixing CVE-2010-2568 link file vulnerability

LinkIconShim

A simple shell extension that inserts itself in front of the original buggy lnk file handler and checks the incoming files. If a link to control panel item is found (the exploitable one), the path to the cpl is checked, and only icons from cpl applets located in system directory are extracted. This is very similar to method used in official microsoft patch released for supported systems. Otherwise default 'blocked' icon is returned instead of trying to extract one by running arbitrary dll.

See http://www.microsoft.com/technet/security/advisory/2286198.mspx for system vendor information. This can be considered an advanced version of this Microsoft fix http://support.microsoft.com/kb/2286198 (advanced in that way that your icons won't go away). Mirosoft released out-of-band patch for this issue. All users of supported systems should update, see http://www.microsoft.com/technet/security/bulletin/ms10-046.mspx.

Sophos released a similar tool here, with a nice video and an msi installer, but beware! The Sophos Windows Shortcut Exploit Protection Tool doesn't handle all malicious link files due to mishandling of the .lnk internal data.

Installation

  • Copy to a suitable location and run install.bat.
  • It is necessary to log off and log back on for the shim to work properly.
  • All control panel (i.e. potentially dangerous) links now have the 'stop' icon, but still work as before.

Uninstalling

  • Run uninstall.bat
  • Add orig_handlers.reg to registry - it restores the system icon handler for lnkfile.
  • Before trying to delete the dll you have to log off to ensure that there is no instance of it loaded in the user applications.

Source code

Source code is based on code by Michael Dunn, http://www.codeproject.com/KB/shell/shellextguide9.aspx. You can do anything you want with it - even improve it... There is a project file for Visual Studio 98 and a makefile. Use the default configuration (LnkIconShim - Win32 Unicode Release MinDependency) to compile. All the magic happens in LnkIconShlExt.cpp.

(c) Libor Morkovsky

Project Information

Labels:
Windows security