[10966] in bugtraq
Re: NT Login Default Folder Vulnerability
daemon@ATHENA.MIT.EDU (wazza@ARO.EE.CIT.AC.NZ)
Wed Jul 7 03:44:50 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.3.96.990707150024.29247B-100000@aro.ee.cit.ac.nz>
Date: Wed, 7 Jul 1999 16:33:43 +1200
Reply-To: wazza@ARO.EE.CIT.AC.NZ
From: wazza@ARO.EE.CIT.AC.NZ
X-To: bugtraq@securityfocus.com, Ben Greenbaum
<beng@WWW.SECURITYFOCUS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.BSF.4.10.9907061146370.59534-100000@www.securityfocus.com>
Interesting, I have just tested this out on Win Terminal Server ( SP3? )
and I am able to get a command window up instead of the MS Desktop ( ie.
explorer ), though policies and restrictions still apply.
I did some prelimary testing on a Win NT workstation ( version 4, no serv
ice packs. ) and also had the same effect, though seemingly policies were
still in effect.
This whole problem stems from Microsoft entering relative names into the
registry - I was able to rectify the problem ( MS Definition -
undocumented feature?? ) by editing the registry and changing the Shell
key ie.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Winlogon\SHELL = "C:\winnt\explorer.exe"
Unfortunately Windows has a problem with the key value
"%systemroot%\explorer.exe"
Another filename that may work is Isass.exe
Warren Boyd
Unix Administrator
Central Institute of Technology
Upper Hutt,
New Zealand.
Phone +64 25 224 0904
===============================
On Tue, 6 Jul 1999, Ben Greenbaum wrote:
> I just tested this on NT4 SP4 and this is real! Policies are, for the most
> part, obsolete....
>
> Compiled from postings to NTbugtraq June 28 - June 30 by Martin Wolf
> <martinw@INFOSUPPORT.COM> and Michael Benadiba <michael@MBCCS.COM>.
>
> When a user logs into an NT machine, there are a few processes that are
> started automatically, including explorer.exe. These programs are normally
> in %winroot% or %winroot%\system32. The problem is that NT will look for
> these programs first in the user's home directory. If no user folder is
> specified, it will look in the root of the system drive. Only if the
> program it is looking for is not found in that location will it look in
> the 'normal' location. This allows any user to rename any executable and
> have it run at login, effectively bypassing many policy restrictions. The
> list of currently known filenames that will work is: explorer.exe,
> nddeagnt.exe, taskmgr.exe and userinit.exe .
>
> To test this: Log in as a normal user. Copy command.com to your home
> directory and rename it explorer.exe. Log out and log back in.
>
> Ben Greenbaum
> SecurityFocus
> www.securityfocus.com
>
