> This would probably work on NT machines if in the code the path referenced > pointed at the startup directory of an existing NT profile. Unfortunately > it's impossible to guess the username of the currently logged on user, and > if you go with something "safe" (i.e. relatively likely to exist) like the > AllUsers profile, you should get blocked from doing that if > permissions are I tried slightly changed script from Guninski's page on my WinNT desktop, and it appears that file can be put in the directory by using name relative to the current directory (which - in my test - was desktop). You do not need to know Windows installation directory, nor user name. Using scr.Path="..\\Start Menu\\Programs\\Startup\\guninski.hta"; will do the trick. Because file is placed in user's profile, NTFS permissions will (usually - when user has right to manage his/her startup folder) does not give you any protection . > This only reaffirms my opinion that anyone who wishes to do > something simple > when setting up a machine the first time to greatly protect themselves, > should simply change the name of their windows directory. Not in this case, as you see above. Also - IF it would possible to resolve environment variables from within script, using this or another "secure" object, no matter where you place your files. But it's just thery - waiting for another security flawn in another (or the same) "trusted" ActiveX object. > Also, I don't know fully how peravsive this exploit is, but if it > is capable > of creating .bat filess, interresting things may be thought to happen if > instead of the path written in the exploit, one were to instead overwrite > c:\autoexec.bat. C:\ is a pretty safe path to guess. Due to junk placed on the beginning of file, .BAT will not work. The same about most of the formats. But .HTA file works pretty nice, and it has more power than .BAT - because it can use VBScript or JavaScript with any object desired (like FileSystemObject or Shell) without warning. One alarming thing user will see is Internet Explorer window popping up when he/she logs on , filled with junk. But it's too late - script is already running. What's really scary to me is the ability to write .HTA file in user's directory by _mail_ (probably _newsgroup_post_ as well) written in HTML and opened in Outlook. I tried it with MS Outlook 98: current directory was desktop, so you can use the very same path "..\\Start Menu ...." to put .HTA file in user's StartUp menu. Of course, there is very simple way to protect against malicious email messages: set "Security" to "restricted sites". Last thing to point is that StartUp folder is executed when user log's on, NOT when he/she is restarting computer, and that (in most Windows NT domain networks) this directory is "replicated" through roaming profile. Regards Bronek Kozicki PS. sorry for my poor English
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:59:17 PDT