NT file execution path

Summary
Description:NT has a HORRIBLY insecure path, and there is nothing you can do about it!
Author:Jeremy Allison <jallison@WHISTLE.COM> quotes some M$ documentation which confirms the ugly rumors.
Compromise:Can you say TROJAN HORSE!
Vulnerable Systems:Windoze NT 4.0, probably earlier.
Date:25 July 1997
Details


Date: Fri, 25 Jul 1997 12:35:42 -0700
From: Jeremy Allison <jallison@WHISTLE.COM>
To: NTBUGTRAQ@RC.ON.CA
Subject: Re: NT security - why bother?

Paul Ashton wrote:

> Use a different command shell. I use bash from cygwin. Do other
> things other than cmd.exe observe PATH?

It's worse than that. From the documentation of CreateProcess().

-----------start excerpt-----------------------
If the filename does not contain a directory path, Windows searches for
the
executable file in the following sequence:
        1.      The directory from which the application loaded.
        2.      The current directory for the parent process.
        3.      Windows 95: The Windows system directory. Use the
                GetSystemDirectory function to get the path of this
directory.
                Windows NT: The 32-bit Windows system directory. Use the
                GetSystemDirectory function to get the path of this
directory.
                The name of this directory is SYSTEM32.
        4.      Windows NT: The 16-bit Windows system directory. There
is no
                Win32 function that obtains the path of this directory,
but
                it is searched. The name of this directory is SYSTEM.
        5.      The Windows directory. Use the GetWindowsDirectory
function
                to get the path of this directory.
        6.      The directories that are listed in the PATH environment
                variable.
-------------end excerpt-----------------------------

This means :

1). '.\' is *always* in your PATH.
2). The PATH is only searched as a last resort.

The SYSTEM32 directory and others are *hard coded* into the OS API
specification.

Good luck fixing that :-(.

Jeremy Allison,
Whistle Communications.

More Exploits!

The master index of all exploits is available here (Very large file)
Or you can pick your favorite operating system:
All OS's Linux Solaris/SunOS Micro$oft
*BSD Macintosh AIX IRIX
ULTRIX/Digital UNIX HP/UX SCO Remote exploits

This page is part of Fyodor's exploit world. For a free program to automate scanning your network for vulnerable hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resouces:

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault