User to administrator elevation through "User Shell Folders" vulnerability
There exist a way for a User to become a member of the Administrators group through a vulnerability caused by a bad registry key default permission setting. We've tried it on NT 4.0 Workstation and Server with SP4 and SP5. Here's an example:
Assume that the "all users" startup directory is c:\Winnt\Profiles\All Users\Start Menu\Programs\Startup. This directory has the following default permissions: Administrators (Full Control), Everyone (Read) and SYSTEM (Full Control). It's impossible for an ordinary User to add a file there.
However, the actual startup directory is determined by the registry setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
Assume that this is set to %SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup to match the above directory. The "User Shell Folders" key by default has Set Value permission for Everyone. So, by changing the value to something else, like c:\attacker, the files in that directory will be executed each time somebody logs on. For example, one of the files could add a User to the Administrators group. The next time an administrator logs on, that User will become a member of the Administrators group.
To prevent this, just change the key permissions to: Administrators (Full Control), CREATOR OWNER (Full Control), SYSTEM (Full Control), Everyone (Read).
Assume that the "all users" startup directory is c:\Winnt\Profiles\All Users\Start Menu\Programs\Startup. This directory has the following default permissions: Administrators (Full Control), Everyone (Read) and SYSTEM (Full Control). It's impossible for an ordinary User to add a file there.
However, the actual startup directory is determined by the registry setting:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders\Common Startup
Assume that this is set to %SystemRoot%\Profiles\All Users\Start Menu\Programs\Startup to match the above directory. The "User Shell Folders" key by default has Set Value permission for Everyone. So, by changing the value to something else, like c:\attacker, the files in that directory will be executed each time somebody logs on. For example, one of the files could add a User to the Administrators group. The next time an administrator logs on, that User will become a member of the Administrators group.
To prevent this, just change the key permissions to: Administrators (Full Control), CREATOR OWNER (Full Control), SYSTEM (Full Control), Everyone (Read).