September 2024 Windows Updates brought a patch for CVE-2024-38217 a.k.a. "LNK Stomping", a security bypass vulnerability allowing an attacker to prevent the "Mark of the Web" (MotW) being applied to a downloaded malicious file.
The vulnerability was reported by security researcher Joe Desimone with Elastic Security, who published a detailed analysis and shared a proof-of-concept. This allowed us to reproduce the issue and issue our own patches for it for various security-adopted Windows versions that are no longer receiving updates from Microsoft.
The Vulnerability
Any downloaded file should get a Mark of the Web (a label in its alternate data stream marking its untrusted origin) and this also goes for LNK (Windows shortcut) files. A LNK file points to an executable file with optional parameters, such as powershell.exe or cmd.exe, which gets executed with optional command-line arguments when a user double-clicks the shortcut.
However, when a LNK file points to an executable file ending with some additional character (e.g., an extra dot), Windows automatically correct this by removing the extra character from the path and saving the corrected LNK file back to disk - removing the Mark of the Web in the process.
Microsoft's Patch
Microsoft patched this issue by modifying the CShellLink::_SaveAsLink function such that instead of calling SHCreateStreamOnFileW when saving a corrected LNK file, it now calls SHCreateStreamOnFileEx using an additional flag, which results in MotW not being deleted in the process.
Our Micropatch
Our patch is functionally identical to Microsoft's.
Micropatch Availability
Micropatches were written for the following security-adopted versions of Windows with all available Windows Updates installed:
- Windows 11 v21H2 - fully updated
- Windows 10 v21H2 - fully updated
- Windows 10 v21H1 - fully updated
- Windows 10 v20H2 - fully updated
- Windows 10 v2004 - fully updated
- Windows 10 v1909 - fully updated
- Windows 10 v1809 - fully updated
- Windows 10 v1803 - fully updated
- Windows 7 - fully updated with no ESU, ESU 1, ESU 2 or ESU 3
- Windows Server 2012, Server 2012 R2 - fully updated with no ESU
- Windows Server 2008 R2 - fully updated with no ESU, ESU 1, ESU 2, ESU 3 or ESU 4
Vulnerabilities like these get discovered on a regular basis, and
attackers know about them all. If you're using Windows that aren't
receiving official security updates anymore, 0patch will make sure these
vulnerabilities won't be exploited on your computers - and you won't
even have to know or care about these things.
If you're new to 0patch, create a free account in 0patch Central, start a free trial, then install and register 0patch Agent. Everything else will happen automatically. No computer reboot will be needed.
We would like to thank Joe Desimone with Elastic Security for sharing their analysis and proof-of-concept, which made it possible for us to create a
micropatch for this issue.
To learn more about 0patch, please visit our Help Center.
Article Link: 0patch Blog: Micropatches for "LNK Stomping" Windows Mark of the Web Security Feature Bypass (CVE-2024-38217)