COMMAND

    kernel

SYSTEMS AFFECTED

    Win 2000

PROBLEM

    Matthew  Murphy  (Murphy  Security  Advisory  #9) found following.
    Windows .LNK files are used for quick access to programs that  may
    be stored away on the hard drive.  Part of this shortcut interface
    is the use  of hotkeys, keys  that when pressed  (for example F10)
    run the .LNK file and what ever file it is linked to.  The problem
    with this is three things.
    A) In  Windows,  .LNK  files  can  run from any location upon  the
       pressing of a hotkey.
    B) The user does not have to be the one to place the shortcut.
    C) .LNK files can link to programs not authorized by the user.

    So, if an attacker wished, he or she could place a *.LNK file on a
    network drive with a hotkey, such as F1 (normally the help hotkey)
    and have it  link to an  unsigned *.EXE file  on that same  drive.
    So, when the new system admin logged in to the new drive, the next
    time they hit F1 for help, the .LNK file would automatically  run,
    overriding the  typical behavior  of starting  help, and launching
    the Executable.  Now, the powerful file that was linked to by  the
    .LNK  has  complete  control  of  the  system,  resulting  in  the
    compromise of  whatever priviledges  the user  has.   It was as if
    the user had  directly clicked on  the file.   Another troublesome
    shortcut hotkey is ALT+F4, which normally closes windows.

    Microsoft  worked  with  Matthew  over  the  past several weeks to
    investigate this report,  but they were  been unable to  reproduce
    the issue he  describes.  Matthew  is right that  it's possible to
    create an .exe file on a mapped share, then make a shortcut to  it
    on the same  share and map  a hotkey such  as F1 to  the shortcut.
    All of  this is  expected behavior,  and could  only be  done by a
    user with sufficient permissions on the share.

    The report goes on to say that once the .exe, shortcut and  hotkey
    mapping  have  been  created,   the  hotkey  mapping  would   take
    precedence over any  other program's use  of the hotkey.   So, for
    instance, if  the attacker  had created  malware on  the share and
    assigned it to  F1, the reported  effect would be  to override all
    other  uses  of  the  F1  key,  with  the result that any user who
    mapped the share and subsequently  hit the F1 key would  cause the
    atacker's malware to run.  If  this were true, it would indeed  be
    a  security  vulnerability.   However,  MS  has  been  unable   to
    demonstrate  any  case  in  which  this happens, even using sample
    code Matthew provided us.

SOLUTION

    The link

        http://support.microsoft.com/support/kb/articles/Q134/5/52.asp

    which reaffirms that shortcut keys only work when they're in  your
    Start menu or Desktop.