MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP) - Nessus

High   Plugin ID: 47750

This page contains detailed information about the MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP) Nessus plugin including available exploits and PoCs found on GitHub, in Metasploit or Exploit-DB for verifying of this vulnerability.

Table Of Contents
hide

Plugin Overview

ID: 47750
Name: MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP)
Filename: smb_kb_2286198.nasl
Vulnerability Published: 2010-07-15
This Plugin Published: 2010-07-18
Last Modification Time: 2018-11-15
Plugin Version: 1.25
Plugin Type: local
Plugin Family: Windows
Dependencies: smb_hotfixes.nasl, smb_nt_ms10-046.nasl
Required KB Items [?]: SMB/Registry/Enumerated, SMB/WindowsVersion

Vulnerability Information

Severity: High
Vulnerability Published: 2010-07-15
Patch Published: N/A
CVE [?]: CVE-2010-2568
CPE [?]: cpe:/o:microsoft:windows
Exploited by Malware: True
In the News: True

Synopsis

It may be possible to execute arbitrary code on the remote Windows host using a malicious shortcut file.

Description

Windows Shell does not properly validate the parameters of a shortcut file when loading its icon. Attempting to parse the icon of a specially crafted shortcut file can result in arbitrary code execution. A remote attacker could exploit this by tricking a user into viewing a malicious shortcut file via Windows Explorer, or any other application that parses the shortcut's icon. This can also be exploited by an attacker who tricks a user into inserting removable media containing a malicious shortcut (e.g. CD, USB drive), and AutoPlay is enabled.

EASYHOOKUP is one of multiple Equation Group vulnerabilities and exploits disclosed on 2017/04/14 by a group known as the Shadow Brokers.

Solution

Either apply the MS10-046 patch or disable the displaying of shortcut icons (refer to the Microsoft advisory).

Public Exploits

Target Network Port(s): 139, 445
Target Asset(s): N/A
Exploit Available: True (Metasploit Framework, Exploit-DB, GitHub, Immunity Canvas, Core Impact)
Exploit Ease: Exploits are available

Here's the list of publicly known exploits and PoCs for verifying the MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP) vulnerability:

  1. Metasploit: exploit/windows/browser/ms10_046_shortcut_icon_dllloader
    [Microsoft Windows Shell LNK Code Execution]
  2. Metasploit: exploit/windows/fileformat/ms15_020_shortcut_icon_dllloader
    [Microsoft Windows Shell LNK Code Execution]
  3. Metasploit: exploit/windows/smb/ms10_046_shortcut_icon_dllloader
    [Microsoft Windows Shell LNK Code Execution]
  4. Metasploit: exploit/windows/smb/ms15_020_shortcut_icon_dllloader
    [Microsoft Windows Shell LNK Code Execution]
  5. Metasploit: post/windows/gather/forensics/fanny_bmp_check
    [FannyBMP or DementiaWheel Detection Registry Check]
  6. Exploit-DB: exploits/windows/local/14403.txt
    [EDB-14403: Microsoft Windows - Automatic .LNK Shortcut File Code Execution]
  7. Exploit-DB: exploits/windows/remote/16574.rb
    [EDB-16574: Microsoft Windows - Shell LNK Code Execution (MS10-046) (Metasploit)]
  8. GitHub: https://github.com/jisosomppi/pentesting
    [CVE-2010-2568]
  9. GitHub: https://github.com/offensive-security/exploitdb-bin-sploits/blob/master/bin-sploits/14403.rar
    [EDB-14403]
  10. Immunity Canvas: CANVAS

Before running any exploit against any system, make sure you are authorized by the owner of the target system(s) to perform such activity. In any other case, this would be considered as an illegal activity.

WARNING: Beware of using unverified exploits from sources such as GitHub or Exploit-DB. These exploits and PoCs could contain malware. For more information, see how to use exploits safely.

Risk Information

CVSS V2 Vector [?]: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:H/RL:OF/RC:C
CVSS Base Score:9.3 (High)
Impact Subscore:10.0
Exploitability Subscore:8.6
CVSS Temporal Score:8.1 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.1 (High)
CVSS V3 Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:H/RL:O/RC:C
CVSS Base Score:8.8 (High)
Impact Subscore:5.9
Exploitability Subscore:2.8
CVSS Temporal Score:8.4 (High)
CVSS Environmental Score:NA (None)
Modified Impact Subscore:NA
Overall CVSS Score:8.4 (High)

Go back to menu.

Plugin Source

This is the smb_kb_2286198.nasl nessus plugin source code. This script is Copyright (C) 2010-2018 Tenable Network Security, Inc. 

#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(47750);
  script_version("1.25");
  script_cvs_date("Date: 2018/11/15 20:50:28");

  script_cve_id("CVE-2010-2568");
  script_bugtraq_id(41732);
  script_xref(name:"CERT", value:"940193");
  script_xref(name:"EDB-ID", value:"14403");
  script_xref(name:"MSFT", value:"MS10-046");
  script_xref(name:"Secunia", value:"40647");
  script_xref(name:"MSKB", value:"2286198");

  script_name(english:"MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP)");
  script_summary(english:"Checks if displaying shortcut icons has been disabled");

  script_set_attribute(attribute:"synopsis", value:
"It may be possible to execute arbitrary code on the remote Windows
host using a malicious shortcut file.");
  script_set_attribute(attribute:"description", value:
"Windows Shell does not properly validate the parameters of a shortcut
file when loading its icon. Attempting to parse the icon of a
specially crafted shortcut file can result in arbitrary code
execution. A remote attacker could exploit this by tricking a user
into viewing a malicious shortcut file via Windows Explorer, or any
other application that parses the shortcut's icon. This can also be
exploited by an attacker who tricks a user into inserting removable
media containing a malicious shortcut (e.g. CD, USB drive), and
AutoPlay is enabled.

EASYHOOKUP is one of multiple Equation Group vulnerabilities and
exploits disclosed on 2017/04/14 by a group known as the Shadow
Brokers.");
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityAdvisories/2010/2286198");
  script_set_attribute(
    attribute:"see_also",
    value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2010/ms10-046"
  );
  script_set_attribute(attribute:"solution", value:
"Either apply the MS10-046 patch or disable the displaying of shortcut
icons (refer to the Microsoft advisory).");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:H/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:H/RL:O/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"true");
  script_set_attribute(attribute:"exploit_framework_core", value:"true");
  script_set_attribute(attribute:"exploited_by_malware", value:"true");
  script_set_attribute(attribute:"metasploit_name", value:'Microsoft Windows Shell LNK Code Execution');
  script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
  script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
  script_set_attribute(attribute:"canvas_package", value:'CANVAS');

  script_set_attribute(attribute:"vuln_publication_date", value:"2010/07/15");
  script_set_attribute(attribute:"plugin_publication_date", value:"2010/07/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"in_the_news", value:"true");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows");

  script_copyright(english:"This script is Copyright (C) 2010-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "smb_nt_ms10-046.nasl");
  script_require_keys("SMB/Registry/Enumerated", "SMB/WindowsVersion");
  script_require_ports(139, 445);

  exit(0);
}


include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");
include("audit.inc");


get_kb_item_or_exit('SMB/WindowsVersion');
if (hotfix_check_sp(xp:4, win2003:3, vista:3, win7:1) <= 0)
  exit(0, 'Host is not affected based on its version / service pack.');
if (!get_kb_item("SMB/Missing/MS10-046")) exit(0, "The host is not affected because the 'SMB/Missing/MS10-046' KB item is missing.");

# Connect to the appropriate share.
login   =  kb_smb_login();
pass    =  kb_smb_password();
domain  =  kb_smb_domain();
port    =  kb_smb_transport();

if(! smb_session_init()) audit(AUDIT_FN_FAIL, 'smb_session_init');

rc = NetUseAdd(login:login, password:pass, domain:domain, share:"IPC$");
if (rc != 1)
{
  NetUseDel();
  exit(1, "Can't connect to IPC$ share.");
}

hkcr = RegConnectRegistry(hkey:HKEY_CLASS_ROOT);
if (isnull(hkcr))
{
  NetUseDel();
  exit(1, "Can't connect to remote registry.");
}

keys = make_list(
  'lnkfile\\shellex\\IconHandler',
  'piffile\\shellex\\IconHandler'
);

vuln = make_array();

foreach key (keys)
{
  key_h = RegOpenKey(handle:hkcr, key:key, mode:MAXIMUM_ALLOWED);
  icon_handler = NULL;

  if (!isnull(key_h))
  {
    value = RegQueryValue(handle:key_h, item:NULL);
    if (!isnull(value[1])) vuln[key] = value[1];
    RegCloseKey(handle:key_h);
  }
}

RegCloseKey(handle:hkcr);
NetUseDel();

if (max_index(keys(vuln)) > 0)
{
  if (report_verbosity > 0)
  {
    if (max_index(keys(vuln)) > 1) s = 'ies';
    else s = 'y';
    report =
      '\nAccording to the following registry entr'+s+', displaying shortcut' +
      '\nicons has not been disabled :\n';

    foreach key (keys(vuln))
    {
      report +=
        '\n  Key   : HKEY_CLASS_ROOT\\' + key +
        '\n  Value : ' + vuln[key] + '\n';
    }

    security_hole(port:port, extra:report);
  }
  else security_hole(port);
}
else exit(0, 'Displaying shortcut icons has been disabled.');

The latest version of this script can be found in these locations depending on your platform:

  • Linux / Unix:
    /opt/nessus/lib/nessus/plugins/smb_kb_2286198.nasl
  • Windows:
    C:\ProgramData\Tenable\Nessus\nessus\plugins\smb_kb_2286198.nasl
  • Mac OS X:
    /Library/Nessus/run/lib/nessus/plugins/smb_kb_2286198.nasl

Go back to menu.

How to Run

Here is how to run the MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP) as a standalone plugin via the Nessus web user interface (https://localhost:8834/):

  1. Click to start a New Scan.
  2. Select Advanced Scan.
  3. Navigate to the Plugins tab.
  4. On the top right corner click to Disable All plugins.
  5. On the left side table select Windows plugin family.
  6. On the right side table select MS KB2286198: Windows Shell Shortcut Icon Parsing Arbitrary Code Execution (EASYHOOKUP) plugin ID 47750.
  7. Specify the target on the Settings tab and click to Save the scan.
  8. Run the scan.

Here are a few examples of how to run the plugin in the command line. Note that the examples below demonstrate the usage on the Linux / Unix platform.

Basic usage:

/opt/nessus/bin/nasl smb_kb_2286198.nasl -t <IP/HOST>

Run the plugin with audit trail message on the console:

/opt/nessus/bin/nasl -a smb_kb_2286198.nasl -t <IP/HOST>

Run the plugin with trace script execution written to the console (useful for debugging):

/opt/nessus/bin/nasl -T - smb_kb_2286198.nasl -t <IP/HOST>

Run the plugin with using a state file for the target and updating it (useful for running multiple plugins on the target):

/opt/nessus/bin/nasl -K /tmp/state smb_kb_2286198.nasl -t <IP/HOST>

Go back to menu.

References

BID | SecurityFocus Bugtraq ID: MSKB | Microsoft Knowledge Base: MSFT | Microsoft Security Bulletin:
  • MS10-046
CERT | Computer Emergency Response Team: Secunia Advisory: See also: Similar and related Nessus plugins:
  • 48216 - MS10-046: Vulnerability in Windows Shell Could Allow Remote Code Execution (2286198) (EASYHOOKUP)
  • 47045 - MS KB2219475: Windows Help Center hcp:// Protocol Handler Arbitrary Code Execution
  • 49274 - MS KB2401593: Microsoft Outlook Web Access (OWA) CSRF
  • 51587 - MS KB2488013: Internet Explorer CSS Import Rule Processing Arbitrary Code Execution
  • 62224 - MS KB2755399: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
  • 63372 - MS KB2794220: Vulnerability in Internet Explorer Could Allow Remote Code Execution (deprecated)
  • 64508 - MS KB2811522: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
  • 66423 - MS KB2820197: Update Rollup for ActiveX Kill Bits
  • 71325 - MS KB2907997: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer 10
  • 72286 - MS KB2929825: Update for Vulnerability in Adobe Flash Player in Internet Explorer
  • 73742 - MS KB2961887: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 73865 - MS KB2962393: Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client (Heartbleed)
  • 76416 - MS KB2974008: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 77170 - MS KB2982794: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 77580 - MS KB2987114: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 78444 - MS KB3001237: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 79145 - MS KB3004150: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 78447 - MS KB3009008: Vulnerability in SSL 3.0 Could Allow Information Disclosure (POODLE)
  • 81209 - MS KB3021953: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 81046 - MS KB3035034: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 81732 - MS KB3044132: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 82823 - MS KB3049508: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 83369 - MS KB3061904: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 84058 - MS KB3062760: Update for Vulnerability in Juniper Networks Windows In-Box Junos Pulse Client (FREAK)
  • 84052 - MS KB3065820: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 84645 - MS KB3065823: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 84367 - MS KB3074219: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 84809 - MS KB3079777: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 85329 - MS KB3087916: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer
  • 86469 - MS KB3105216: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge
  • 87671 - MS KB3132372: Update for Vulnerabilities in Adobe Flash Player in Internet Explorer and Microsoft Edge
  • 100051 - MS Security Advisory 4022344: Security Update for Microsoft Malware Protection Engine
  • 35634 - MS KB960715: Cumulative Security Update of ActiveX Kill Bits
  • 81735 - MS15-020: Vulnerabilities in Microsoft Windows Could Allow Remote Code Execution (3041836) (EASYHOOKUP)

Version

This page has been produced using Nessus Professional 10.1.2 (#68) LINUX, Plugin set 202205072148.
Plugin file smb_kb_2286198.nasl version 1.25. For more plugins, visit the Nessus Plugin Library.

Go back to menu.