Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > NTBugtraq> 1999-q3

NTBugtraq And NTSecurity Archives: User to administrator elevat

User to administrator elevation through "User Shell Folders" vulnerability

Arne Vidstrom (winntBAHNHOF.SE)
Fri, 8 Oct 1999 21:32:04 +0200

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Russ: "Alert: Microsoft Security Bulletin MS99-030 - Another Jet Vulnera bility"
Previous message: Peter da Silva: "Re: What if you cannot trust your antivirus-software?"
Next in thread: Bjørnar B. Larsen: "Re: User to administrator elevation through "User Shell Folders" vulnerability"
Reply: Bjørnar B. Larsen: "Re: User to administrator elevation through "User Shell Folders" vulnerability"

Hi all,

We've found a way for a User to become a member of the Administrators group
through a vulnerability caused by a bad registry key default permission
setting. We've tried it on NT 4.0 WS/SRV with SP4 and SP5. Here's an
example:

Assume that the "all users" startup directory is c:\Winnt\Profiles\All
Users\Start Menu\Programs\Startup. This directory has the following default
permissions: Administrators (Full Control), Everyone (Read) and SYSTEM
(Full Control). It's impossible for an ordinary User to add a file there.

However, the actual startup directory is determined by the registry
setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User
Shell Folders\Common Startup

Assume that this is set to %SystemRoot%\Profiles\All Users\Start
Menu\Programs\Startup to match the above directory. The "User Shell
Folders" key by default has Set Value permission for Everyone. So, by
changing the value to something else, like c:\attacker, the files in that
directory will be executed each time somebody logs on. For example, one of
the files could add a User to the Administrators group. The next time an
administrator logs on, that User will become a member of the Administrators
group.

To prevent this, just change the key permissions to: Administrators (Full
Control), CREATOR OWNER (Full Control), SYSTEM (Full Control).

Regards,

/Arne Vidstrom & Svante Sennmark

http://www.bahnhof.se/~winnt/toolbox/

Next message: Russ: "Alert: Microsoft Security Bulletin MS99-030 - Another Jet Vulnera bility"
Previous message: Peter da Silva: "Re: What if you cannot trust your antivirus-software?"
Next in thread: Bjørnar B. Larsen: "Re: User to administrator elevation through "User Shell Folders" vulnerability"
Reply: Bjørnar B. Larsen: "Re: User to administrator elevation through "User Shell Folders" vulnerability"

This archive was generated by hypermail 2.0b3 on Sat Oct 09 1999 - 13:27:57 CDT