NT User Shell Folders Vulnerability

BID:1042

Info

NT User Shell Folders Vulnerability

Bugtraq ID: 1042
Class: Configuration Error
CVE:
Remote: No
Local: Yes
Published: Mar 09 2000 12:00AM
Updated: Mar 09 2000 12:00AM
Credit: Publicized in Microsoft Security Bulletin MS00-008, released March 9, 2000.
Vulnerable: Microsoft Windows NT 4.0 alpha
Microsoft Windows NT 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Enterprise Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Terminal Server 4.0
+ Microsoft Windows NT Workstation 4.0
+ Microsoft Windows NT Workstation 4.0
Not Vulnerable:

Discussion

NT User Shell Folders Vulnerability

The registry value

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup

specifies the shared startup folder for all users on a system. This key is set to be writeable by any authenticated user. Therefore, any user could specify a folder with a shortcut to a program of their choice that will be run any time a user logs in, at the privilege level of that user.

Exploit / POC

NT User Shell Folders Vulnerability

Example:

On a Domain Controller, a batch file containg the following commands:
--
net user attacker /add /domain
net group administrators attacker /add /domain
--
could be put into the folder c:\hackstartup.
Then the registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
could be set to the string "c:\hackstartup".
The next time an administrator logs on to that machine, the 'attacker' account will be created and added to the Administrators group on the PDC of the domain.

Solution / Fix

NT User Shell Folders Vulnerability

Solution:
Microsoft has released a hotfix that tightens permissions on this and other keys in the registry. The fix is available at:
Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=19172
Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=19173


Microsoft Windows NT 4.0

Microsoft Windows NT 4.0 alpha

References

© CVE.report 2026 |

Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. It is the responsibility of user to evaluate the accuracy, completeness or usefulness of any information, opinion, advice or other content. EACH USER WILL BE SOLELY RESPONSIBLE FOR ANY consequences of his or her direct or indirect use of this web site. ALL WARRANTIES OF ANY KIND ARE EXPRESSLY DISCLAIMED. This site will NOT BE LIABLE FOR ANY DIRECT, INDIRECT or any other kind of loss.

CVE, CWE, and OVAL are registred trademarks of The MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. This site includes MITRE data granted under the following license.

Free CVE JSON API cve.report/api

CVE.report and Source URL Uptime Status status.cve.report