The vulnerability was used by Stuxnet worm. According to Symantec the first exploitation of the vulnerability was discovered on 2008-02-13.
Bloodhound.Exploit.343
W32.Stuxnet
W32.Changeup.C
W32.Ramnit
Vulnerability details
Advisory: SB2010071603 - Remote code execution in Microsoft Windows
Vulnerable component: Windows
CVE-ID: CVE-2010-2568
CVSSv3 score: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H/E:H/RL:O/RC:C
CWE-ID: CWE-20 - Improper input validation
Description:
The vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to an error when parsing icons to .lnk and .pif files within Windows Explorer. A remote attacker can create a specially crafted icon file, trick the victim into clicking on it and execute arbitrary code on the target system with privileges of the current user.
Successful exploitation of the vulnerability results in compromise of vulnerable system.
Note: this vulnerability is being actively exploited.
Known APT campaigns:
Iranian Nuclear Facilities breach
The breach was identified in summer 2010 by VirusBlokada antivirus company from Belarus, who was called to investigate computers in Iranian nuclear facilities.
Public Exploits:
- Microsoft Windows - Shell LNK Code Execution (MS10-046) (Metasploit) [Exploit-DB]
- Microsoft Windows - Automatic LNK Shortcut File Code Execution [Exploit-DB]
External links:
https://technet.microsoft.com/library/security/ms10-046
https://technet.microsoft.com/library/security/2286198
https://www.f-secure.com/weblog/archives/00001986.html
https://www.scmagazine.com/lnkexploitcve-2010-2568/article/558054/
https://www.symantec.com/security_response/attacksignatures/detail.jsp?asid=23801
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
http://blogs.quickheal.com/stuxnet-cve-2010-2568-misconceptions-and-facts/
http://www.welivesecurity.com/2010/07/22/a-few-facts-about-win32stuxnet-cve-2010-2568/
https://users.ece.cmu.edu/~tdumitra/public_documents/bilge12_zero_day.pdf