Home page logo

bugtraq logo Bugtraq mailing list archives

Re: NT Login Default Folder Vulnerability
From: Russ.Cooper () RC ON CA (Russ)
Date: Wed, 7 Jul 1999 01:31:26 -0400

I just tested this on NT4 SP4 and this is real! Policies are, for the
most part, obsolete....

I'm not sure what the reference to policies being obsolete is supposed
to mean. They could be by-passed, but there are ways to prevent this.

1. Remove any file named explorer.exe, taskmgr.exe, etc... during a
login script. Since login scripts still process prior to loading the
desktop (or any of the renamed executables), its possible to eliminate
any trojans that might be present.

2. Place a copy of the "official" files (explorer, etc...) into the
user's home directory and then ACL them for Administrator's modification
only, thereby preventing this from being an issue in many profiled

3. I haven't tried this, but it should be possible to prevent, by
policy, execution of the given executables from the user's home
directory (while still permitting them to be run from %systemroot%).
Their desktop will hang, I would assume, as a result of them placing an
excluded filename in their home directory.

Note these are only workarounds, and may not work if the user has access
to the user's home directory (%systemroot% if no directory specified) in
situations where ACLs can be usurped (e.g. a user is a Local
Administrator and can boot to the machine, rather than the domain).

Clearly there's a large and real issue here, but just as clearly,
Policies aren't, for the most part, obsolete.

You may also prefer to use CMD.EXE instead of COMMAND.COM to test this,
just to be safe and ensure you'll be able to recover. On a funny note, I
followed the original poster's suggestion of renaming calc.exe as
explorer.exe and rebooted...;-]...needless to say there was a momentary
look of shock on my face as I tried to remember what to do to get the
real explorer back on my desktop...;-] (in case you find yourself in
this situation, CTRL-ALT-DEL, Task Manager, File, Run,
%systemroot%\explorer.exe restores your desktop)

Russ - NTBugtraq Editor

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]