COMMAND

    subst.exe

SYSTEMS AFFECTED

    WinNT

PROBLEM

    Dave  Tarbatt  found  following  (tested  with NT4WS SP3 and SP5).
    SUBSTed drives are persistent  between different logged on  users.
    Users can be  misled into saving  data somewhere other  than where
    they first thought, running trojaned executables etc.

    To recreate (typical example), an  ordinary user logs onto the  NT
    workstation and maps a drive to a subdirectory:

        SUBST M: C:\TEMP

    They log off.  A second user logs onto the same workstation.   The
    SUBSTed drive is  still in effect.  Their profile defines  that M:
    be their home directory, mapped to \\SERVER\USERNAME$.  It doesn't
    get connected and there is no error message.  The user saves their
    documents to what they believe to be their home drive (M:) but  in
    actual fact they end up in C:\TEMP.  They log off.  The first user
    comes back and  reads their saved  documents from C:\TEMP.   There
    are many other possible exploits that this could be used for.

SOLUTION

    David Anders posted following workaround.  In his environment,  he
    uses  both  the  subst  and  net  use commands to setup the users'
    environment during logon.  In order to avoid any errors, his logon
    scripts simply include subst *drive_letter* /d statements for  all
    drive letters that he uses.  This ensures that the machine has  no
    previous mappings before the rest of the script is run.

        if exist g: subst g: /d
        if exist h: subst h: /d
        if exist t: subst t: /d
        if exist z: subst z: /d

        subst g: c:\data
        subst h: c:\apps
        net use t: \\server\server_apps
        net use z: \\server\user_home

    This solution is simple for  any environment.  And as  the exploit
    pointed out will only work  to spoof drive mappings that  *should*
    exist in a  normal user environment,  this simple script  addition
    will eliminate that problem.

    You can get rid of all SUBST'ituted drives using the following:

        for /f "delims=\" %d in ('subst') do subst %d /d

    (Only works on NT)   Jacques Forster posted following.   Place the
    script below  in your  network login  script to  remove all  subst
    drives at each logon.

    @echo off
    
    :: This script removes all currently allocated SUBST drives.
    :: Supports NT4 and Windows 2000.
    
    if not exist %temp%\nul set temp=%systemdrive%\temp
    if not exist %temp%\nul md %systemdrive%\temp
    if not exist %temp%\nul set temp=%systemdrive%\
    
    set log=%temp%\Remove_Subst_Drives.log
    set sysdir=%systemroot%\system32
    if not exist %sysdir%\subst.exe goto error1
    
    echo ---------------   START   --------------           >%log%
    time /t                                                 >>%log%
    echo ----------------------------------------           >>%log%
    
    :start
    echo ----------------------------------------           >>%log%
    %sysdir%\subst.exe                                      >%temp%\subst.txt
    
    echo Analysing %temp%\Subst.txt ...                     >>%log%
    For /F "tokens=1,2* delims=\" %%i in ('type %temp%\subst.txt') do call %sysdir%\subst.exe %%i /d
    goto end
    
    :error1
    echo ----------------------------------------           >>%log%
    echo Missing SUBST.EXE command ...                      >>%log%
    goto end
    
    :end
    if exist %temp%\subst.txt del %temp%\subst.txt
    echo ---------------    END    --------------           >>%log%
    time /t                                                 >>%log%
    echo ----------------------------------------           >>%log%
    pause