COMMAND

    "User Shell Folders"

SYSTEMS AFFECTED

    WinNT 4.0

PROBLEM

    Arne Vidstrom  found following.   He found  a way  for a  User  to
    become  a   member  of   the  Administrators   group  through    a
    vulnerability  caused  by  a  bad  registry key default permission
    setting.   This was  tested on  NT 4.0  WS/SRV with  SP4 and  SP5.
    Here's an example.

    Assume that the "all users" startup directory is

        c:\Winnt\Profiles\All Users\Start Menu\Programs\Startup

    This directory has the following default permissions:

        Administrators (Full Control)
        Everyone (Read)
        SYSTEM (Full Control)

    It's  impossible  for  an  ordinary  User  to  add  a  file there.
    However,  the  actual  startup  directory  is  determined  by  the
    registry setting:

        HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\UserShell Folders\Common Startup

    Assume that this  is set to  %SystemRoot%\Profiles\All Users\Start
    Menu\Programs\Startup to  match the  above directory.   The  "User
    Shell  Folders"  key  by  default  has  Set  Value  permission for
    Everyone.   So,  by  changing  the  value  to something else, like
    c:\attacker, the  files in  that directory  will be  executed each
    time somebody logs on.  For example, one of the files could add  a
    User to the Administrators group.  The next time an  administrator
    logs on,  that User  will become  a member  of the  Administrators
    group.

SOLUTION

    To prevent this, just change the key permissions to:

        Administrators (Full Control),
        CREATOR OWNER (Full Control),
        SYSTEM (Full Control).