NT User Shell Folders Vulnerability
BID:1042
Info
NT User Shell Folders Vulnerability
| Bugtraq ID: | 1042 |
| Class: | Configuration Error |
| CVE: | |
| Remote: | No |
| Local: | Yes |
| Published: | Mar 09 2000 12:00AM |
| Updated: | Mar 09 2000 12:00AM |
| Credit: | Publicized in Microsoft Security Bulletin MS00-008, released March 9, 2000. |
| Vulnerable: |
Microsoft Windows NT 4.0 alpha Microsoft Windows NT 4.0 |
| Not Vulnerable: | |
Discussion
NT User Shell Folders Vulnerability
The registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
specifies the shared startup folder for all users on a system. This key is set to be writeable by any authenticated user. Therefore, any user could specify a folder with a shortcut to a program of their choice that will be run any time a user logs in, at the privilege level of that user.
The registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
specifies the shared startup folder for all users on a system. This key is set to be writeable by any authenticated user. Therefore, any user could specify a folder with a shortcut to a program of their choice that will be run any time a user logs in, at the privilege level of that user.
Exploit / POC
NT User Shell Folders Vulnerability
Example:
On a Domain Controller, a batch file containg the following commands:
--
net user attacker /add /domain
net group administrators attacker /add /domain
--
could be put into the folder c:\hackstartup.
Then the registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
could be set to the string "c:\hackstartup".
The next time an administrator logs on to that machine, the 'attacker' account will be created and added to the Administrators group on the PDC of the domain.
Example:
On a Domain Controller, a batch file containg the following commands:
--
net user attacker /add /domain
net group administrators attacker /add /domain
--
could be put into the folder c:\hackstartup.
Then the registry value
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
could be set to the string "c:\hackstartup".
The next time an administrator logs on to that machine, the 'attacker' account will be created and added to the Administrators group on the PDC of the domain.
Solution / Fix
NT User Shell Folders Vulnerability
Solution:
Microsoft has released a hotfix that tightens permissions on this and other keys in the registry. The fix is available at:
Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=19172
Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=19173
Microsoft Windows NT 4.0
Microsoft Windows NT 4.0 alpha
Solution:
Microsoft has released a hotfix that tightens permissions on this and other keys in the registry. The fix is available at:
Intel: http://www.microsoft.com/downloads/release.asp?ReleaseID=19172
Alpha: http://www.microsoft.com/downloads/release.asp?ReleaseID=19173
Microsoft Windows NT 4.0
-
Microsoft Q250625
http://download.microsoft.com/download/winntsp/Patch/regacl/NT4/EN-US/ Q250625i.EXE
Microsoft Windows NT 4.0 alpha
References
NT User Shell Folders Vulnerability
References:
References: