Re: NT Login Default Folder Vulnerability

From: wazzaat_private
Date: Tue Jul 06 1999 - 21:33:43 PDT

Next message: Steven M. Bellovin: "Re: PGP 6.5.1 has been released"

Previous message: Cody Brownstein: "PGP 6.5.1 has been released"
Next in thread: Dimitry Andric: "Re: NT Login Default Folder Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Interesting, I have just tested this out on Win Terminal Server ( SP3? )
and I am able to get a command window up instead of the MS Desktop ( ie.
explorer ), though policies and restrictions still apply.

I did some prelimary testing on a Win NT workstation ( version 4, no serv
ice packs. ) and also had the same effect, though seemingly policies were
still in effect.

This whole problem stems from Microsoft entering relative names into the
registry - I was able to rectify the problem ( MS Definition -
undocumented feature?? ) by editing the registry and changing the Shell
key ie.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Winlogon\SHELL = "C:\winnt\explorer.exe"

Unfortunately Windows has a problem with the key value
"%systemroot%\explorer.exe"

Another filename that may work is Isass.exe

Warren Boyd

Unix Administrator
Central Institute of Technology
Upper Hutt,
New Zealand.

Phone +64 25 224 0904

===============================

On Tue, 6 Jul 1999, Ben Greenbaum wrote:

> I just tested this on NT4 SP4 and this is real! Policies are, for the most
> part, obsolete....
>
> Compiled from postings to NTbugtraq June 28 - June 30 by  Martin Wolf
> <martinwat_private> and Michael Benadiba <michaelat_private>.
>
> When a user logs into an NT machine, there are a few processes that are
> started automatically, including explorer.exe. These programs are normally
> in %winroot% or %winroot%\system32. The problem is that NT will look for
> these programs first in the user's home directory. If no user folder is
> specified, it will look in the root of the system drive. Only if the
> program it is looking for is not found in that location will it look in
> the 'normal' location. This allows any user to rename any executable and
> have it run at login, effectively bypassing many policy restrictions. The
> list of currently known filenames that will work is: explorer.exe,
> nddeagnt.exe, taskmgr.exe and userinit.exe .
>
> To test this: Log in as a normal user. Copy command.com to your home
> directory and rename it explorer.exe. Log out and log back in.
>
> Ben Greenbaum
> SecurityFocus
> www.securityfocus.com
>

Next message: Steven M. Bellovin: "Re: PGP 6.5.1 has been released"
Previous message: Cody Brownstein: "PGP 6.5.1 has been released"
Next in thread: Dimitry Andric: "Re: NT Login Default Folder Vulnerability"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:51:46 PDT