Attacker Value

High

(1 user assessed)

Exploitability

Very High

(1 user assessed)

User Interaction

Unknown

Privileges Required

Unknown

Attack Vector

Unknown

CVE-2010-2568

Disclosure Date: July 22, 2010 •

CVE-2010-2568

Exploited in the Wild

Reported by loneicewolf

MITRE ATT&CK

Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Collection

Techniques

Validation

Data from Local System

Validated

Data from Removable Media

Validated

Defense Evasion

Techniques

Validation

Rootkit

Validated

Obfuscated Files or Information

Validated

Masquerading: Space after Filename

Validated

Discovery

Techniques

Validation

Query Registry

Validated

Execution

Techniques

Validation

User Execution: Malicious Link

Validated

Exfiltration

Techniques

Validation

Automated Exfiltration

Validated

Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol

Validated

Exfiltration Over Physical Medium

Validated

Exfiltration Over Physical Medium: Exfiltration over USB

Validated

Impact

Techniques

Validation

System Shutdown/Reboot

Validated

Initial Access

Techniques

Validation

Hardware Additions

Validated

Persistence

Techniques

Validation

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Validated

Boot or Logon Autostart Execution: LSASS Driver

Validated

Privilege Escalation

Techniques

Validation

Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Validated

Boot or Logon Autostart Execution: LSASS Driver

Validated

Metasploit Module

Microsoft Windows Shell LNK Code Execution

post/windows/gather/forensics/fanny_bmp_check

Easy to weaponize Gives privileged access Vulnerable in default configuration Requires physical access Requires user interaction

Description

Windows Shell in Microsoft Windows XP SP3, Server 2003 SP2, Vista SP1 and SP2, Server 2008 SP2 and R2, and Windows 7 allows local users or remote attackers to execute arbitrary code via a crafted (1) .LNK or (2) .PIF shortcut file, which is not properly handled during icon display in Windows Explorer, as demonstrated in the wild in July 2010, and originally reported for malware that leverages CVE-2010-2772 in Siemens WinCC SCADA systems.

Add Assessment

loneicewolf (4)

February 08, 2021 8:53pm UTC (3 weeks ago)•

Ratings

Attacker Value

High

Exploitability

Very High

Easy to weaponize Gives privileged access Vulnerable in default configuration Requires physical access Requires user interaction

Technical Analysis

https://github.com/loneicewolf/fanny.bmp/blob/main/Reports/Fanny.BMP(DementiaWheel)_Technical_Report_By_WilliamMartens-2021-10Feb.pdf

Technical Write up: DONE. Finally, it’s available here for read
(and, please feedback! if you have any)
https://www.youtube.com/watch?v=Uto_lcD2f38 POC video for windows xp SP3

Sample: https://github.com/loneicewolf/fanny.bmp

Metasploit Modules

Microsoft Windows Shell LNK Code Execution (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/browser/ms10_046_shortcut_icon_dllloader.rb)

Microsoft Windows Shell LNK Code Execution (https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/smb/ms10_046_shortcut_icon_dllloader.rb)

post/windows/gather/forensics/fanny_bmp_check (https://github.com/rapid7/metasploit-framework/blob/master/modules/post/windows/gather/forensics/fanny_bmp_check.rb)

References

Rapid7

High

CVE-2010-2568

High

Very High

Unknown

Unknown

Unknown

CVE-2010-2568

Description

Add Assessment

Ratings

Technical Analysis

General Information

Metasploit Modules

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

High

CVE-2010-2568

High

Very High

Unknown

Unknown

Unknown

CVE-2010-2568

Description

Add Assessment

Ratings

Technical Analysis

General Information

Metasploit Modules

References

Canonical

Advisory

Miscellaneous

Additional Info

Technical Analysis

Quick Cookie Notification