OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: NT Login Default Folder Vulnerability

NT Login Default Folder Vulnerability

Ben Greenbaum (bengWWW.SECURITYFOCUS.COM)
Tue, 6 Jul 1999 11:56:55 -0700

I just tested this on NT4 SP4 and this is real! Policies are, for the most
part, obsolete....

Compiled from postings to NTbugtraq June 28 - June 30 by Martin Wolf
<martinwINFOSUPPORT.COM> and Michael Benadiba <michaelMBCCS.COM>.

When a user logs into an NT machine, there are a few processes that are
started automatically, including explorer.exe. These programs are normally
in %winroot% or %winroot%\system32. The problem is that NT will look for
these programs first in the user's home directory. If no user folder is
specified, it will look in the root of the system drive. Only if the
program it is looking for is not found in that location will it look in
the 'normal' location. This allows any user to rename any executable and
have it run at login, effectively bypassing many policy restrictions. The
list of currently known filenames that will work is: explorer.exe,
nddeagnt.exe, taskmgr.exe and userinit.exe .

To test this: Log in as a normal user. Copy command.com to your home
directory and rename it explorer.exe. Log out and log back in.

Ben Greenbaum
SecurityFocus
www.securityfocus.com

This archive was generated by hypermail 2.0b3 on Tue Jul 06 1999 - 00:59:55 CDT