Attack Chain

1. The attacker crafts a malicious .lnk file. The filename includes shell metacharacters designed to execute arbitrary commands. For example, a filename could be test.lnk; rm -rf /tmp.
2. The attacker places the crafted .lnk file onto a USB drive.
3. A forensic examiner uses parseusbs (version before 1.9) to analyze the USB drive.
4. The parseUSBs.py script processes the files on the USB drive, including the malicious .lnk file.
5. The script extracts the .lnk file path without proper sanitization.
6. The unsanitized .lnk file path is passed to the os.popen() function.
7. The os.popen() function interprets the shell metacharacters in the filename, executing the attacker’s injected command.
8. The attacker achieves arbitrary code execution on the examiner’s system, allowing them to potentially compromise the system, steal sensitive data, or further pivot into the network.

Impact

Successful exploitation of this vulnerability allows an attacker to execute arbitrary commands on the system of a forensic examiner using parseusbs. This could lead to complete system compromise, data exfiltration, or further malicious activities. Given that parseusbs is a tool used by security professionals, a successful attack could have significant consequences, potentially exposing sensitive forensic data. The impact is particularly severe as the examiner likely has access to sensitive information related to their investigations.

Recommendation

• Upgrade parseusbs to version 1.9 or later to remediate CVE-2026-40029.
• Monitor process creation events for unexpected processes spawned by Python (python.exe or python3). Use the Sigma rule “Detect Suspicious Process Creation by Python” to detect potential exploitation attempts.
• Implement file integrity monitoring for LNK files, particularly those found on USB drives. The Sigma rule “Detect Creation of LNK Files in Removable Media” can help identify suspicious LNK file creation.