Listen to this Post
CVE-2024-38217, also known as LNK Stomping, is a vulnerability in Windows Shell that allows attackers to bypass the Mark of the Web (MoTW) security feature. MoTW is an identifier Windows adds to files downloaded from the internet, which triggers security checks like SmartScreen. The flaw resides in how Windows Explorer handles specially crafted shortcut (.lnk) files. When a user clicks a malicious LNK file with an abnormally structured internal path—such as having the entire path in a single array, ending with a dot or space, or using only a relative filename—Windows Explorer attempts to “normalize” or correct the path . During this process, it overwrites and re-saves the shortcut file, inadvertently stripping away the MoTW metadata (the Zone.Identifier alternate data stream) . Because the security check is removed before the file is fully executed, SmartScreen or Smart App Control does not trigger a warning, allowing the attacker’s code to run . This technique was actively exploited in the wild for years before its discovery and was officially added to CISA’s Known Exploited Vulnerabilities catalog .
Platform: Windows Shell
Version: 10,11,Server
Vulnerability :MoTW Bypass
Severity: HIGH
date: 2024-09-10
Prediction: Patched
What Undercode Say
Analytics
Detection involves monitoring for abnormal LNK file structures and MoTW removal.
Check Zone.Identifier ADS on a suspicious LNK file
Get-Content "malicious.lnk:Zone.Identifier"
Hunt for LNK files with unusual path structures using PowerShell
Get-ChildItem -Path C:\ -Recurse -Filter .lnk -ErrorAction SilentlyContinue | ForEach-Object {
$lnk = $<em>.FullName
Use strings to look for path anomalies indicative of stomping
Select-String -Path $lnk -Pattern "C:\\Windows\\System32" -SimpleMatch | Out-Null
if ($? ) { Write-Host "Potential anomaly in: $lnk" }
}
Monitor process creation for explorer.exe spawning child processes from untrusted locations
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object { $</em>.Properties[bash].Value -match "explorer.exe" -and $_.Properties[bash].Value -match "Temp|Downloads|Users" }
Exploit
The exploit crafts an LNK file where the `LinkTargetIDList` structure is malformed.
Simplified LNK creation with a malformed path (based on research principles)
import struct
... (LNK header and shell item ID creation logic)
PathSegment type: Embed full path in a single IDList array entry
malformed_idlist = b"..." Contains the full target path in one segment
with open("malicious.lnk", "wb") as f:
f.write(lnk_header + malformed_idlist)
Protection
Apply the official patch released September 10, 2024.
Verify installation of the September 2024 or later security update Get-HotFix -Id KB5043083 Example KB for Windows 10; check for your specific OS version
Impact
Successful exploitation allows attackers to execute code without SmartScreen warnings, increasing the success rate of phishing and drive-by download attacks, and leading to potential system compromise.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: www.cve.org
Extra Source Hub:
Undercode

