Hidden command-line arguments: Beyond target spoofing, Beukema demonstrated a technique for hiding malicious command-line instructions behind legitimate executables. LNK files can launch trusted Windows binaries while passing attacker-controlled instructions through embedded arguments, enabling “living-off-the-land” (LOLBINs) execution without pointing directly to malware.According to the researcher, this can be done by manipulating the input passed into certain fields within the LNK “ExtraData” section that determines additional target metadata. Enabling the “HasExpString” flag and configuring the “EnvironmentVariableDataBlock” with “TargetANSI/TargetUnicode” fields filled with null bytes produces what he described as “unexpected” results.”First, it disables the target field, meaning the target field becomes read-only and cannot be selected,” Beukema said. “Secondly, it hides the command-line arguments; yet when the LNK is opened, it still passes them on.” The behavior can be exploited to launch a harmless system component while secretly executing arbitrary commands like downloading payloads or running scripts.According to the disclosure, this is a better approach attackers than exploiting CVE-2025-9491 because it is harder to detect due to the absence of visible, padded command lines.Beukema noted that this technique, like the others he described, relies on Windows’ normal shortcut handling rather than being patchable bugs, meaning mitigation largely depends on treating untrusted LNK files as potentially dangerous and preventing users from opening them. “Microsoft argues that as it requires the user to do something, without breaking any security boundaries, it is not a security vulnerability,” he said. “This is not entirely unreasonable as ultimately, most of these boil down to being UI bugs.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4132232/four-new-reasons-why-windows-lnk-files-cannot-be-trusted.html
