COMMAND
LSASS (or WinLogon)
SYSTEMS AFFECTED
WinNT
PROBLEM
Martin Wolf found following. He has discovered what seems to be a
bug in Windows NT, with possible security consequences.
Specifically, it would allow any user with local access to a
machine, as long as they have write access to the root directory
of the boot partition, to install a Trojan horse which is then
executed whenever someone logs on locally. The problem is that
when this partition (the one containing %systemroot%) contains a
file such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or
TASKMGR.EXE, that file will be executed instead of the one in the
%systemroot% or %systemroot%\system32 directory. This can be
easily demonstrated:
1. Copy an executable file (CALC.EXE will do) to the rootdir.
2. Rename the file to NDDEAGNT.EXE.
3. Log off, and log on again as the same or a different user.
The Calculator program will now start immediately, using the
security privileges of the logged-on user (OK, bad example..).
This behaviour seems to occur on any out-of-the-box NT4
installation, even with SP4, although obviously it can only be
exploited by someone with write access to the specified location.
It also works with TASKMGR.EXE, but only when the task manager is
started using Ctrl-Alt-Del, not when it is started from the
taskbar. This suggests the problem lies with Winlogon or the
LSASS subsystem.
SOLUTION
Surely, use NTFS and set up permission. MS responded that the
system should be configured so that ordinary users do not have
write access to the root directory. This is obviously true;
however, it still seems to be a bug, as in "deviates from
expected behaviour". Also, it does not work on all machines even
when the attacker does have write access to the system boot
partition, but not yet sure exactly where the problem lies.