CVE-2015-0096
published 2015-03-11CVE-2015-0096: Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8…
PriorityP279critical9.3CVSS 2.0
AVNACMAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
71.08%
99.3th percentile
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | windows_server_2008 | — | — |
| microsoft | windows_server_2012 | — | — |
Detection & IOCsextracted from sources · hover to see the quote
yara↗
rule lnk_wiped {
meta:
author="gvenere"
description="LNK with wiped metadata"
strings:
$lnk_magic = { 4c 00 00 00 }
$ext1 = ".js"
$ext2 = ".bat"
$ext3 = ".cmd"
condition:
$lnk_magic at 0x0 and
uint16(0x1c) == 0x0 and
uint16(0x24) == 0x0 and
uint16(0x2c) == 0x0 and
( any of ($ext*) in (0xa0..0x100) )
}- →CVE-2015-0096 exploits DLL loading triggered when Windows Explorer renders the icon of a crafted .LNK shortcut file pointing to a malicious DLL on a remote SMB share; monitor for Explorer loading DLLs from UNC/SMB paths. ↗
- →Meterpreter-generated LNK exploit files for CVE-2015-0096 have all metadata fields (CreationTime, AccessTime, WriteTime) wiped to zero and the malicious payload is embedded in fields not parsed by standard LNK parsers; detect LNK files where all three timestamp fields at offsets 0x1c, 0x24, 0x2c are zero. ↗
- →The Metasploit module ms15_020_shortcut_icon_dllloader creates an SMB resource to serve the payload DLL and generates a crafted LNK file; detect SMB-hosted DLL loads initiated by explorer.exe as a result of LNK icon rendering. ↗
- →LNK files crafted for CVE-2015-0096 use a Control Panel Applet ItemID structure (byte 0x6a at offset 11 within the ItemID data) to reference a DLL path; the IDList contains specific shell GUIDs for 'This PC' and 'All Control Panel Items' followed by a CPL applet entry pointing to the malicious DLL. ↗
- →CVE-2017-8464 (a variant of CVE-2015-0096/MS15-020) adds a SpecialFolderDataBlock with SpecialFolderID 0x03 (CSIDL_CONTROLS) to bypass the CPL whitelist; presence of BlockSignature 0xA0000005 with SpecialFolderID 0x03 in LNK ExtraData is a strong indicator of exploit-crafted files. ↗
- →LNK files with LinkFlags value 0x81 (HasLinkTargetIDList | IsUnicode) and all timestamp fields zeroed, combined with a CPL applet IDList entry, are characteristic of exploit-generated shortcut files for this vulnerability class. ↗
- ·The Metasploit module ms15_020_shortcut_icon_dllloader was tested successfully only on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32-bit) with MS14-027 installed; exploit reliability on other targets may vary. ↗
- ·The CVE-2017-8464 Metasploit variant (a bypass of CVE-2015-0096's fix) does not work with UNC paths and instead requires the DLL to be placed at the root of a drive (e.g., USB drive or shared VM folder) with LNK files generated per drive letter D–Z. ↗
- ·The YARA rule for wiped-metadata LNK detection includes extension checks (.js, .bat, .cmd) tuned for Qakbot; these additional string conditions should be adjusted when hunting for CVE-2015-0096 exploit files specifically, as those will not necessarily contain those extensions. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-hq49-4fx9-hw5v: Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window
ghsa_unreviewed·2022-05-14
CVE-2015-0096 [HIGH] CWE-426 GHSA-hq49-4fx9-hw5v: Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Window
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
VulnCheck
Microsoft Windows Untrusted Search Path
vulncheck·2015·CVSS 9.3
CVE-2015-0096 [CRITICAL] Microsoft Windows Untrusted Search Path
Microsoft Windows Untrusted Search Path
Untrusted search path vulnerability in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a Trojan horse DLL in the current working directory, leading to DLL loading during Windows Explorer access to the icon of a crafted shortcut, aka "DLL Planting Remote Code Execution Vulnerability."
Affected: Microsoft Windows
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.welivesecurity.com/wp-content/uploads/2021/12/eset_jumping_the_air
No detection rules found.
Exploit-DB
Microsoft Windows - '.LNK' Shortcut File Code Execution
exploitdb·2017-08-06·CVSS 8.8
CVE-2017-8464 [HIGH] Microsoft Windows - '.LNK' Shortcut File Code Execution
Microsoft Windows - '.LNK' Shortcut File Code Execution
---
#!/usr/bin/python
# -*- coding: utf-8 -*-
# Title : CVE-2017-8464 | LNK Remote Code Execution Vulnerability
# CVE : 2017-8464
# Authors : [ykoster, nixawk]
# Notice : Only for educational purposes.
# Support : python2
import struct
def generate_SHELL_LINK_HEADER():
# _________________________________________________________________
# | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | |
# |0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|2|3|4|5|6|7|8|9|0|1|
# -----------------------------------------------------------------
# | HeaderSize |
# -----------------------------------------------------------------
# | LinkCLSID (16 bytes) |
# -----------------------------------------------------------------
# | ... |
# ----
Exploit-DB
Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)
exploitdb·2017-07-26·CVSS 9.3
CVE-2017-8464 [CRITICAL] Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)
Microsoft Windows - '.LNK' Shortcut File Code Execution (Metasploit)
---
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule 'LNK Remote Code Execution Vulnerability',
'Description' => %q{
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK)
that contain a dynamic icon, loaded from a malicious DLL.
This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is
similar except in an additional SpecialFolderDataBlock is included. The folder ID set
in this SpecialFolderDataBlock is set to the Control Panel. This is enought to bypass
the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary
DLL file.
},
Exploit-DB
Microsoft Windows - Automatic .LNK Shortcut File Code Execution
exploitdb·2010-07-18
CVE-2015-0096 Microsoft Windows - Automatic .LNK Shortcut File Code Execution
Microsoft Windows - Automatic .LNK Shortcut File Code Execution
---
From: http://www.ivanlef0u.tuxfamily.org/?p=411
1. Unzip the files in 'C: \'. Start a DbgView or paste a KD to your VM.
2. Rename 'suckme.lnk_' to 'suckme.lnk' and let the magic do the rest of shell32.dll.
3. Look at your logs.
http://ivanlef0u.nibbles.fr/repo/suckme.rar
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/14403.rar (suckme.rar)
Tested under XP SP3.
kd> g
Breakpoint 1 hit
eax=00000001 ebx=00f5ee7c ecx=0000c666 edx=00200003 esi=00000001 edi=7c80a6e4
eip=7ca78712 esp=00f5e9c4 ebp=00f5ec18 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SHELL32!_LoadCPLModule+0x10d:
001b:7ca78712 ff15a0159d7c call dword ptr [SHELL32!_imp__LoadLibrar
Metasploit
Microsoft Windows Shell LNK Code Execution
metasploit
Microsoft Windows Shell LNK Code Execution
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This creates an SMB resource to provide the payload and the trigger, and generates a LNK file which must be sent to the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed.
Metasploit
LNK Code Execution Vulnerability
metasploit·CVSS 9.3
CVE-2015-0096 [CRITICAL] LNK Code Execution Vulnerability
LNK Code Execution Vulnerability
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. If no PATH is specified, the module will use drive letters D through Z so the files may be placed in the root path of a drive such as a shared VM folder or USB drive.
Metasploit
Microsoft Windows Shell LNK Code Execution
metasploit
Microsoft Windows Shell LNK Code Execution
Microsoft Windows Shell LNK Code Execution
This module exploits a vulnerability in the MS10-046 patch to abuse (again) the handling of Windows Shortcut files (.LNK) that contain an icon resource pointing to a malicious DLL. This module creates the required files to exploit the vulnerability. They must be uploaded to an UNC path accessible by the target. This module has been tested successfully on Windows 2003 SP2 with MS10-046 installed and Windows 2008 SP2 (32 bits) with MS14-027 installed.
Metasploit
LNK Code Execution Vulnerability
metasploit·CVSS 9.3
CVE-2015-0096 [CRITICAL] LNK Code Execution Vulnerability
LNK Code Execution Vulnerability
This module exploits a vulnerability in the handling of Windows Shortcut files (.LNK) that contain a dynamic icon, loaded from a malicious DLL. This vulnerability is a variant of MS15-020 (CVE-2015-0096). The created LNK file is similar except an additional SpecialFolderDataBlock is included. The folder ID set in this SpecialFolderDataBlock is set to the Control Panel. This is enough to bypass the CPL whitelist. This bypass can be used to trick Windows into loading an arbitrary DLL file. The PATH option must be an absolute path to a writeable directory which is indexed for searching. If no PATH is specified, the module defaults to %USERPROFILE%.
Talos
Following the LNK metadata trail
blogs_talos·2023-01-19
Following the LNK metadata trail
- Adversaries’ shift toward Shell Link (LNK) files, likely sparked by Microsoft’s decision to block macros, provides the opportunity to capitalize on information that can be provided by LNK metadata.
- Cisco Talos analyzed metadata in LNK files and correlated it with threat actors tactics techniques and procedures, to identify and track threat actor activity. This report outlines our research on Qakbot and Gamaredon as examples.
- Talos also used LNK file metadata to identify relationships among different threat actors. In this report we demonstrate this by using metadata to connect Bumblebee with IcedID and Qakbot respectively.
# Executive Summary
Microsoft announced at the beginning of 2022 that they would soon start to disable macros by default in Office documents downloaded from the
Talos
Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
blogs_talos·2015-03-10·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
## Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 45 CVEs. The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component.
## Bulletins Rated Critical MS15-018, MS15-019, MS15-020, MS15-021, and MS15-022 are rated Critical.
MS15-018 addresses multiple vulnerabilities within Internet Explor
Talos
Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
blogs_talos·2015-03-10·CVSS 9.3
[CRITICAL] Microsoft Patch Tuesday for March 2015: 14 Bulletins Released; FREAK
Patched
Today, Microsoft has released their monthly set of security bulletins designed to address security vulnerabilities within their products. This month’s release sees a total of 14 bulletins being released which address 45 CVEs. The first 5 bulletins are rated critical and address vulnerabilities within Internet Explorer, Office, Windows, and VBScript. The remaining 9 bulletins are rated important and cover vulnerabilities within Windows Kernel Mode Drivers, Exchange, Task Scheduler, Remote Desktop, SChannel, and the Microsoft Graphics component.
### Bulletins Rated CriticalMS15-018, MS15-019, MS15-020, MS15-021, and MS15-022 are rated Critical.
MS15-018 addresses multiple vulnerabilities within Internet Explorer, versions 6 through 11. 12 CVEs were resolved this month, including CVE-2015-0
Qualys
Patch Tuesday March 2015 | Qualys
blogs_qualys·2015-03-10·CVSS 4.3
[MEDIUM] Patch Tuesday March 2015 | Qualys
It is March Patch Tuesday 2015, but similar to last month we are having more issues than expected in a normal month. Or maybe that is the new normal: patches from Microsoft, Adobe and a set of other security issues to deal with.
Before we get to these patches, it’s important to note that we also had two out-of-band issues this month: FREAK and Superfish.
### FREAK
FREAK is a vulnerability in SSL, discovered by the team at SMACKTLS. The vulnerability allows an attacker that has a Man-in-the-Middle (MITM) position to downgrade your computer’s SSL communication to an export grade cipher (512 bit RSA), which is breakable relatively quickly (< 24 hours). Once the attacker has the key she can eavesdrop on your communication and even modify it and redirect you to impostor sites. SMACKTLS has a
Qualys
Patch Tuesday March 2015 | Qualys
blogs_qualys·2015-03-10·CVSS 4.3
[MEDIUM] Patch Tuesday March 2015 | Qualys
It is March Patch Tuesday 2015, but similar to last month we are having more issues than expected in a normal month. Or maybe that is the new normal: patches from Microsoft, Adobe and a set of other security issues to deal with.
Before we get to these patches, it’s important to note that we also had two out-of-band issues this month: FREAK and Superfish.
## FREAK
FREAK is a vulnerability in SSL, discovered by the team at SMACKTLS. The vulnerability allows an attacker that has a Man-in-the-Middle (MITM) position to downgrade your computer’s SSL communication to an export grade cipher (512 bit RSA), which is breakable relatively quickly (< 24 hours). Once the attacker has the key she can eavesdrop on your communication and even modify it and redirect you to impostor sites. SMACKTLS has a
http://www.securityfocus.com/bid/72894http://www.securitytracker.com/id/1031890https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-020http://www.securityfocus.com/bid/72894http://www.securitytracker.com/id/1031890https://docs.microsoft.com/en-us/security-updates/securitybulletins/2015/ms15-020
2015-03-11
Published
Exploited in the wild