Cybersecurity: LNK Stomping Vulnerability

A security vulnerability, CVE-2024-38217, known as LNK Stomping, has been identified in Windows operating systems. This vulnerability exploits a flaw in the handling of Windows shortcut files (LNK files) to bypass the Mark of the Web (MoTW) security feature, potentially allowing malicious code execution without triggering security warnings. It was patched on Mon, Sep 10, 2024.

Technical Details

LNK Stomping targets the Windows Explorer path normalization process. This process can inadvertently remove the MoTW metadata from malicious files, allowing attackers to execute payloads without detection by Smart App Control (SAC) and SmartScreen, key Windows security components.

The attack leverages the complex binary structure of Windows shortcut files, specifically manipulating the LinkTarget IDList component. Attackers craft LNK files with abnormal path configurations that trigger Windows Explorer to perform canonicalization operations. During this process, the system overwrites the original LNK file, removing the NTFS Alternate Data Stream (ADS) called Zone.Identifier, which contains the MoTW metadata. This removal occurs before security checks, allowing the attack to proceed undetected.

Exploitation Techniques

• PathSegment Attacks: Place entire file paths within a single IDList array element.
• Dot Attacks: Append periods or spaces to execution target paths.
• Relative Attacks: Use only filenames without complete path specifications.

These techniques create structural inconsistencies that exploit the normalization vulnerability.

Impact and Detection

Security researchers have identified numerous LNK Stomping samples on platforms like VirusTotal, indicating long-standing exploitation. The technique’s effectiveness is attributed to its ability to mimic legitimate system behavior, making detection challenging for traditional signature-based methods.

The inclusion of CVE-2024-38217 in CISA’s Known Exploited Vulnerabilities (KEV) catalog confirms its active exploitation. The persistence of this vulnerability underscores the importance of format-level security research and behavior-based analysis to identify unknown evasion techniques.