Corgea LogoCorgea Security Hub

CWE-64: Windows Shortcut Following (.LNK)

Learn about CWE-64 (Windows Shortcut Following (.LNK)), its security impact, exploitation methods, and prevention guidelines.

What is Windows Shortcut Following (.LNK)?

• Overview: This vulnerability involves improper handling of Windows shortcut files (.LNK) within software. When an application opens such shortcuts without verifying their targets, it can be tricked into accessing files outside its intended control, potentially giving attackers access to unauthorized files.

• Exploitation Methods:

  • Attackers can create a malicious .LNK file pointing to sensitive files, tricking a program into accessing them.
  • Common attack patterns include social engineering tactics like disguising shortcuts as legitimate files or embedding them in documents.

• Security Impact:

  • Direct consequences include unauthorized file access, allowing attackers to read or modify sensitive data.
  • Potential cascading effects include further exploitation of compromised data, leading to larger security breaches.
  • Business impact could involve data leakage, compliance violations, and damage to reputation.

• Prevention Guidelines:

  • Implement rigorous checks to ensure .LNK targets are within approved directories or resources.
  • Follow the principle of least privilege, ensuring applications operate with minimal permissions.
  • Use recommended security libraries and frameworks that offer built-in protections against such vulnerabilities.
Corgea can automatically detect and fix Windows Shortcut Following (.LNK) in your codebase. [Try Corgea free today](https://corgea.app).

Technical Details

Likelihood of Exploit: Low

Affected Languages: Not Language-Specific

Affected Technologies: Not specified

Vulnerable Code Example

import os

def open_file(file_path):
    # Vulnerable Code: This function follows .LNK files without checking their targets.
    if os.path.exists(file_path):
        with open(file_path, 'r') as f:
            return f.read()
    return None

# Example usage:
# open_file('C:\\Users\\Public\\Documents\\malicious_link.lnk')

Explanation:

  • Vulnerability: The code does not check if the provided path is a Windows shortcut (.LNK) file. Attackers can exploit this to redirect the application to unauthorized files outside the controlled directory, potentially exposing sensitive data. This is particularly dangerous as .LNK files can point to any location on the system.

How to fix Windows Shortcut Following (.LNK)?

To mitigate this vulnerability, follow these best practices:

  1. Identify and Handle .LNK Files: Before opening a file, check if it is a .LNK file and validate its target path to ensure it is within the intended directory.
  2. Whitelist Directories: Only allow file access from specific, trusted directories.
  3. Log and Monitor: Implement logging for file access attempts, especially for .LNK files, to detect suspicious activities.

Fixed Code Example

import os
import subprocess

def is_within_directory(path, directory):
    # Helper function to check if a path is within a specific directory
    abs_directory = os.path.abspath(directory)
    abs_path = os.path.abspath(path)
    return abs_path.startswith(abs_directory)

def resolve_lnk(lnk_path):
    # Resolves the target of a .lnk file (works on Windows only)
    if os.path.splitext(lnk_path)[1].lower() == '.lnk':
        try:
            cmd = f'powershell -Command "(New-Object -COM WScript.Shell).CreateShortcut(\'{lnk_path}\').TargetPath"'
            target_path = subprocess.check_output(cmd, shell=True).decode().strip()
            return target_path
        except subprocess.CalledProcessError:
            # Handle error if the .lnk resolution fails
            return None
    return lnk_path

def open_file(file_path, trusted_directory):
    # Fixed Code: Check if the file is a .lnk and resolve it, ensure it's within a trusted directory.
    resolved_path = resolve_lnk(file_path)
    if resolved_path and is_within_directory(resolved_path, trusted_directory):
        with open(resolved_path, 'r') as f:
            return f.read()
    return None

# Example usage:
# open_file('C:\\Users\\Public\\Documents\\malicious_link.lnk', 'C:\\Users\\Public\\Documents\\')

Explanation:

  • LNK Resolution: The resolve_lnk function resolves the target of a .LNK file using PowerShell on Windows. It ensures that the application does not blindly follow the shortcut, and includes error handling for cases where resolution fails.
  • Directory Whitelisting: The is_within_directory function checks if the resolved path is within a trusted directory. This prevents unauthorized access to files outside the specified directory.
  • Secure File Handling: By verifying both the shortcut resolution and the file's directory, the application only processes files from safe locations, thus mitigating the vulnerability. This ensures that even if a malicious .LNK file is encountered, it will not lead to unauthorized file access.
Corgea Logo

Find this vulnerability and fix it with Corgea

Scan your codebase for CWE-64: Windows Shortcut Following (.LNK) and get remediation guidance

Start for free and no credit card needed.