|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: NT Login Default Folder Vulnerability
wazza
ARO.EE.CIT.AC.NZ
Wed, 7 Jul 1999 16:33:43 +1200
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: Steven M. Bellovin: "Re: PGP 6.5.1 has been released"
- Previous message: Cody Brownstein: "PGP 6.5.1 has been released"
- Next in thread: Dimitry Andric: "Re: NT Login Default Folder Vulnerability"
Interesting, I have just tested this out on Win Terminal Server ( SP3? )
and I am able to get a command window up instead of the MS Desktop ( ie.
explorer ), though policies and restrictions still apply.
I did some prelimary testing on a Win NT workstation ( version 4, no serv
ice packs. ) and also had the same effect, though seemingly policies were
still in effect.
This whole problem stems from Microsoft entering relative names into the
registry - I was able to rectify the problem ( MS Definition -
undocumented feature?? ) by editing the registry and changing the Shell
key ie.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Winlogon\SHELL = "C:\winnt\explorer.exe"
Unfortunately Windows has a problem with the key value
"%systemroot%\explorer.exe"
Another filename that may work is Isass.exe
Warren Boyd
Unix Administrator
Central Institute of Technology
Upper Hutt,
New Zealand.
Phone +64 25 224 0904
===============================
On Tue, 6 Jul 1999, Ben Greenbaum wrote:
> I just tested this on NT4 SP4 and this is real! Policies are, for the most
> part, obsolete....
>
> Compiled from postings to NTbugtraq June 28 - June 30 by Martin Wolf
> <martinwINFOSUPPORT.COM> and Michael Benadiba <michaelMBCCS.COM>.
>
> When a user logs into an NT machine, there are a few processes that are
> started automatically, including explorer.exe. These programs are normally
> in %winroot% or %winroot%\system32. The problem is that NT will look for
> these programs first in the user's home directory. If no user folder is
> specified, it will look in the root of the system drive. Only if the
> program it is looking for is not found in that location will it look in
> the 'normal' location. This allows any user to rename any executable and
> have it run at login, effectively bypassing many policy restrictions. The
> list of currently known filenames that will work is: explorer.exe,
> nddeagnt.exe, taskmgr.exe and userinit.exe .
>
> To test this: Log in as a normal user. Copy command.com to your home
> directory and rename it explorer.exe. Log out and log back in.
>
> Ben Greenbaum
> SecurityFocus
> www.securityfocus.com
>
- Next message: Steven M. Bellovin: "Re: PGP 6.5.1 has been released"
- Previous message: Cody Brownstein: "PGP 6.5.1 has been released"
- Next in thread: Dimitry Andric: "Re: NT Login Default Folder Vulnerability"
This archive was generated by hypermail 2.0b3 on Tue Jul 06 1999 - 09:58:50 CDT