Notices where this attachment appears
-
Embed this notice
Will Dormann (wdormann@infosec.exchange)'s status on Thursday, 12-Sep-2024 01:47:44 JST 
Will Dormann
The Elastic blog post admits that signature-based detection on LNK files is difficult.
A simple Python script to detect abusers of this LNK vulnerability was created by @dez , but it is fragile in that it relies on pylnk3 being able to parse the LNK file without error to be successful.
Out of a set of about 2000 LNK files, lnk_stomping.py fails to analyze about 1400 of them due to errors thrown by pylnk3 (e.g. year out of scope, drive as second element required, utf-8 decode error, struct unpack error)
Out of a set of about 1200 LNK files that abuse the "pathsegment" variant of LNK Stomping, lnk_stomping.py detects 13 of them.
So yeah, lnk_stomping.py is better than nothing. But if you're statically looking at LNK files to see if they are abusing LNK Stomping, you might be better off using exiftool and looking for one of:
1) "Target File DOS Name" has a '\' in it
2) "Target File DOS Name" ends with a '.'
3) "Relative Path" begins with ".\"
GNU social JP is a social network, courtesy of GNU social JP管理人. It runs on GNU social, version 2.0.2-dev, available under the GNU Affero General Public License.
All GNU social JP content and data are available under the Creative Commons Attribution 3.0 license.