Relative Shell Path Vulnerability

DOVES Vulnerability V-00200

DOVES Project
Computer Security Laboratory
Department of Computer Science
University of California at Davis

Description

Brief summary: When explorer.exe is loaded, it is identified using a relative path name.

Detailed description: The registry entry that specifies the Windows Shell executable (explorer.exe) uses a relative, rather than an absolute, path name. Windows searches directories for the executable in the following order:

Search the current directory
If the program isn't found, search the directories specified in the session manager environment's path (key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\Path") in the order in which they are specified. The default setting is "%SystemRoot%\System32;%SystemRoot%".
If the code isn't found, search the directories specified in the user environment's path (key "HKEY_CURRENT_USER\Environment\Path") , in the order in which they are specified. The default setting is empty.

Because the current directory during system startup is "%SystemDrive%\", the resulting search path would be:

%SystemDrive%\ (e.g., C:\)
%SystemRoot%\System32 (e.g., C:\WINNT\System32)
%SystemRoot% (e.g., C:\WINNT)

The default permission of "%SystemDrive%\" is to allow all interactive users write access. For example, consider a system that boots from the "C:" drive (so "%systemDrive%\" is "C:"). If a malicious user placed a program called explorer.exe into "C:\", it, rather than the desired explorer.exe, would be loaded and executed.

Components: Explorer.exe, Msgina.dll, Userinit.exe

Operating system(s): Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows NT 4.0 Server, Enterprise Edition, Microsoft Windows NT 4.0 Server, Terminal Server Edition, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced ServerThe attacker can cause any user logging into the system to execute a program during the login process.

How to detect: Look for a file named "explorer.exe" in the root directory of "%SystemDrive%"

How to fix:

Make sure all names in the registry are absolute, not relative, path names. (Warning: this may break some legacy applications, which is why Microsoft does not recommend this.)
Install the Hot Fix from Microsoft. These add a special case to the login code that prepends a fixed path name to the Shell registry values.
1. Get the appropriate patch for Windows 2000 or Windows NT 4.0.
2. Execute the downloaded program.

Other information:

Keywords

shell, Trojan horse

Cataloguing Information

PA Classification:

RISOS Classification:

Common Vulnerability Exposure: The registry entry for the Windows Shell executable (Explorer.exe) in Windows NT and Windows 2000 uses a relative path name, which allows local users to execute arbitrary commands by inserting a Trojan Horse named Explorer.exe into the %Systemdrive% directory, aka the "Relative Shell Path" vulnerability. [CAN-2000-0663]

Exploits

Attacks: See Doves exploit #110.

Related Information

Microsoft Knowledge Base Article Q269049, Registry-Invoked Programs Use Standard Search Path

Advisories:

Microsoft Security Bulletin MS00-052, Patch Available for "Relative Shell Path" Vulnerability
BugTraq Report Microsoft Windows NT 4.0 / 2000 Unspecified Executable Path Vulnerability

Related DOVES entries:

History

Who reported it: Alberto Aragone in Quimeras web site Executable path searching vulnerability in Windows NT/2000 on July 26, 2000

Revision #1

Logan Browne on 8/7/2000
Initial Entry

Send email to doves@cs.ucdavis.edu

Department of Computer Science
University of California at Davis
One Shields Ave.
Davis, CA 95616-8562

Page created August 28, 2000 at 16:41:49 GMT