Re: NT Login Default Folder Vulnerability

From: Russ (Russ.Cooperat_private)
Date: Tue Jul 06 1999 - 22:31:26 PDT

Next message: Cody Brownstein: "PGP 6.5.1 has been released"

Previous message: aleph1at_private: "Netscape Enterprise Server SSL Handshake Bug"
Next in thread: wazzaat_private: "Re: NT Login Default Folder Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

>I just tested this on NT4 SP4 and this is real! Policies are, for the
>most part, obsolete....

I'm not sure what the reference to policies being obsolete is supposed
to mean. They could be by-passed, but there are ways to prevent this.

1. Remove any file named explorer.exe, taskmgr.exe, etc... during a
login script. Since login scripts still process prior to loading the
desktop (or any of the renamed executables), its possible to eliminate
any trojans that might be present.

2. Place a copy of the "official" files (explorer, etc...) into the
user's home directory and then ACL them for Administrator's modification
only, thereby preventing this from being an issue in many profiled
environments.

3. I haven't tried this, but it should be possible to prevent, by
policy, execution of the given executables from the user's home
directory (while still permitting them to be run from %systemroot%).
Their desktop will hang, I would assume, as a result of them placing an
excluded filename in their home directory.

Note these are only workarounds, and may not work if the user has access
to the user's home directory (%systemroot% if no directory specified) in
situations where ACLs can be usurped (e.g. a user is a Local
Administrator and can boot to the machine, rather than the domain).

Clearly there's a large and real issue here, but just as clearly,
Policies aren't, for the most part, obsolete.

You may also prefer to use CMD.EXE instead of COMMAND.COM to test this,
just to be safe and ensure you'll be able to recover. On a funny note, I
followed the original poster's suggestion of renaming calc.exe as
explorer.exe and rebooted...;-]...needless to say there was a momentary
look of shock on my face as I tried to remember what to do to get the
real explorer back on my desktop...;-] (in case you find yourself in
this situation, CTRL-ALT-DEL, Task Manager, File, Run,
%systemroot%\explorer.exe restores your desktop)

Cheers,
Russ - NTBugtraq Editor
http://ntbugtraq.ntadvice.com/archives

Next message: Cody Brownstein: "PGP 6.5.1 has been released"
Previous message: aleph1at_private: "Netscape Enterprise Server SSL Handshake Bug"
Next in thread: wazzaat_private: "Re: NT Login Default Folder Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:45 PDT