Microsoft Windows NT login default folder allows a user to bypass policies
| nt-login-default-folder (2336) |  High Risk |
Description:
When a user logs into an Windows NT computer, system processes are automatically started. Windows NT looks for these programs in the user's directory first, allowing a user to execute any program on startup, by renaming the program to a system process file such as explorer.exe or taskmgr.exe. The user would then be able to bypass certain policy restrictions.
Platforms Affected:
- Microsoft, Windows NT 4.0
Remedy:
No remedy available as of July 4, 2009.
Consequences:
Bypass Security
References:
- NTBugTraq Mailing List, Mon, 28 Jun 1999 20:06:39 +0100, NT runs Explorer.exe, Taskmgr.exe etc. from wrong location at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9906&L=ntbugtraq&F=P&S=&P=9659.
- NTBugTraq Mailing List, Wed, 30 Jun 1999 23:19:10 +0100, Update: NT runs explorer.exe, etc¿ at http://www.ntbugtraq.com/default.asp?pid=36&sid=1&A2=ind9907&L=ntbugtraq&F=P&P=737.
- BID-1: Berkeley Sendmail DEBUG Vulnerability
- BID-10: NeXTstep npd Vulnerability
- BID-1000: Microsoft Windows Media Services Handshake Sequence DoS Vulnerability
- BID-10002: cPanel Multiple Module Cross-Site Scripting Vulnerabilities
- BID-10003: TCPDump ISAKMP Delete Payload Buffer Overrun Vulnerability
- BID-10004: TCPDump ISAKMP Identification Payload Integer Underflow Vulnerability
- BID-10005: Interchange Remote Information Disclosure Vulnerability
- BID-10007: Clam Anti-Virus ClamAV Arbitrary Command Execution Vulnerability
- BID-10008: MPlayer Remote HTTP Header Buffer Overflow Vulnerability
- BID-10009: Oracle Single Sign-On Login Page Authentication Credential Disclosure Vulnerability
- BID-1001: InterAccess TelnetD Server 4.0 Terminal Configuration Vulnerability
- BID-10010: LinBit Technologies LINBOX Officeserver Remote Authentication Bypass Vulnerability
- BID-10013: PHPKit Multiple HTML Injection Vulnerabilities
- BID-10017: JamesOff QuoteEngine Multiple Parameter Unspecified SQL Injection Vulnerability
- BID-10018: MadBMS Unspecified Login Vulnerability
- BID-10019: Cactusoft CactuShop SQL Injection Vulnerability
- BID-1002: Sambar Server Batch CGI Vulnerability
- BID-10020: CactuSoft CactuShop Cross-Site Scripting Vulnerability
- BID-10022: Roger Wilco Server UDP Datagram Handling Denial Of Service Vulnerability
- BID-10024: Roger Wilco Information Disclosure Vulnerability
- BID-10025: Roger Wilco Server Unauthorized Audio Stream Denial Of Service Vulnerability
- BID-10026: ADA IMGSVR Remote Directory Listing Vulnerability
- BID-10027: ADA IMGSVR Remote File Download Vulnerability
- BID-10028: OpenBSD ISAKMPD Zero Payload Length Denial Of Service Vulnerability
- BID-1003: FTPx FTP Explorer Weak Password Encryption Vulnerability
- BID-10033: HAHTsite Scenario Server Project File Name Buffer Overrun Vulnerability
- BID-10036: Macromedia Dreamweaver Remote User Database Access Vulnerability
- BID-10037: SGI IRIX ftpd Multiple Denial Of Service Vulnerabilities
- BID-515: NT Login Default Folder Vulnerability
- CVE-1999-1365: Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default.
Reported:
Jun 28, 1999
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net