Date: Пт, 08 окт 1999 23:32:04
От: Arne Vidstrom <winnt@BAHNHOF.SE>
Кому: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Тема: User to administrator elevation through "User Shell Folders" vulnerability
--------------------------------------------------------------------------------
Hi all,
We've found a way for a User to become a member of the Administrators group
through a vulnerability caused by a bad registry key default permission
setting. We've tried it on NT 4.0 WS/SRV with SP4 and SP5. Here's an
example:
Assume that the "all users" startup directory is c:\Winnt\Profiles\All
Users\Start Menu\Programs\Startup. This directory has the following default
permissions: Administrators (Full Control), Everyone (Read) and SYSTEM
(Full Control). It's impossible for an ordinary User to add a file there.
However, the actual startup directory is determined by the registry
setting:
Assume that this is set to %SystemRoot%\Profiles\All Users\Start
Menu\Programs\Startup to match the above directory. The "User Shell
Folders" key by default has Set Value permission for Everyone. So, by
changing the value to something else, like c:\attacker, the files in that
directory will be executed each time somebody logs on. For example, one of
the files could add a User to the Administrators group. The next time an
administrator logs on, that User will become a member of the Administrators
group.
To prevent this, just change the key permissions to: Administrators (Full
Control), CREATOR OWNER (Full Control), SYSTEM (Full Control).
