Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: NT Login Default Folder Vulnerability

Re: NT Login Default Folder Vulnerability

From: <wazza_at_ARO.EE.CIT.AC.NZ>
Date: Wed, 7 Jul 1999 16:33:43 +1200

Interesting, I have just tested this out on Win Terminal Server ( SP3? )
and I am able to get a command window up instead of the MS Desktop ( ie.
explorer ), though policies and restrictions still apply.

I did some prelimary testing on a Win NT workstation ( version 4, no serv
ice packs. ) and also had the same effect, though seemingly policies were
still in effect.

This whole problem stems from Microsoft entering relative names into the
registry - I was able to rectify the problem ( MS Definition -
undocumented feature?? ) by editing the registry and changing the Shell
key ie.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current
Version\Winlogon\SHELL = "C:\winnt\explorer.exe"

Unfortunately Windows has a problem with the key value
"%systemroot%\explorer.exe"

Another filename that may work is Isass.exe

Warren Boyd

Unix Administrator
Central Institute of Technology
Upper Hutt,
New Zealand.

Phone +64 25 224 0904

===============================

On Tue, 6 Jul 1999, Ben Greenbaum wrote:

> I just tested this on NT4 SP4 and this is real! Policies are, for the most
> part, obsolete....
>
> Compiled from postings to NTbugtraq June 28 - June 30 by Martin Wolf
> <martinw_at_INFOSUPPORT.COM> and Michael Benadiba <michael_at_MBCCS.COM>.
>
> When a user logs into an NT machine, there are a few processes that are
> started automatically, including explorer.exe. These programs are normally
> in %winroot% or %winroot%\system32. The problem is that NT will look for
> these programs first in the user's home directory. If no user folder is
> specified, it will look in the root of the system drive. Only if the
> program it is looking for is not found in that location will it look in
> the 'normal' location. This allows any user to rename any executable and
> have it run at login, effectively bypassing many policy restrictions. The
> list of currently known filenames that will work is: explorer.exe,
> nddeagnt.exe, taskmgr.exe and userinit.exe .
>
> To test this: Log in as a normal user. Copy command.com to your home
> directory and rename it explorer.exe. Log out and log back in.
>
> Ben Greenbaum
> SecurityFocus
> www.securityfocus.com
>
Received on Jul 06 1999

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos