Bugtraq mailing list archives
Re: NT Login Default Folder Vulnerability
From: wazza () ARO EE CIT AC NZ (wazza () ARO EE CIT AC NZ)
Date: Wed, 7 Jul 1999 16:33:43 +1200
Interesting, I have just tested this out on Win Terminal Server ( SP3? ) and I am able to get a command window up instead of the MS Desktop ( ie. explorer ), though policies and restrictions still apply. I did some prelimary testing on a Win NT workstation ( version 4, no serv ice packs. ) and also had the same effect, though seemingly policies were still in effect. This whole problem stems from Microsoft entering relative names into the registry - I was able to rectify the problem ( MS Definition - undocumented feature?? ) by editing the registry and changing the Shell key ie. HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon\SHELL = "C:\winnt\explorer.exe" Unfortunately Windows has a problem with the key value "%systemroot%\explorer.exe" Another filename that may work is Isass.exe Warren Boyd Unix Administrator Central Institute of Technology Upper Hutt, New Zealand. Phone +64 25 224 0904 =============================== On Tue, 6 Jul 1999, Ben Greenbaum wrote:
I just tested this on NT4 SP4 and this is real! Policies are, for the most part, obsolete.... Compiled from postings to NTbugtraq June 28 - June 30 by Martin Wolf <martinw () INFOSUPPORT COM> and Michael Benadiba <michael () MBCCS COM>. When a user logs into an NT machine, there are a few processes that are started automatically, including explorer.exe. These programs are normally in %winroot% or %winroot%\system32. The problem is that NT will look for these programs first in the user's home directory. If no user folder is specified, it will look in the root of the system drive. Only if the program it is looking for is not found in that location will it look in the 'normal' location. This allows any user to rename any executable and have it run at login, effectively bypassing many policy restrictions. The list of currently known filenames that will work is: explorer.exe, nddeagnt.exe, taskmgr.exe and userinit.exe . To test this: Log in as a normal user. Copy command.com to your home directory and rename it explorer.exe. Log out and log back in. Ben Greenbaum SecurityFocus www.securityfocus.com
Current thread:
- NT Login Default Folder Vulnerability Ben Greenbaum (Jul 06)
- Re: NT Login Default Folder Vulnerability wazza () ARO EE CIT AC NZ (Jul 06)
- Re: NT Login Default Folder Vulnerability Dimitry Andric (Jul 07)
- <Possible follow-ups>
- Re: NT Login Default Folder Vulnerability Russ (Jul 06)