CVE-1999-1217

Vulnerability

Windows NT's default PATH includes the current working directory (.), as documented in the CreateProcess() API search order. This means that when a user runs a command from a command prompt (cmd.exe) or any application that uses CreateProcess(), the operating system will search the current directory before searching the system directories (such as SYSTEM32) or the directories listed in the PATH environment variable [1][2]. The issue affects Windows NT systems up to and including the version discussed in 1997; the exact build range is not specified, but the behavior is inherent to the OS design.

Exploitation

An attacker with local access to the system can place a malicious executable (a Trojan horse) in a directory that a victim will use as their current working directory. The Trojan horse must be named identically to a commonly used system command (e.g., cmd.exe, ipconfig.exe, notepad.exe). When the victim executes that command from the command prompt or any process inheriting the current directory, Windows NT's search order will first find the attacker's malicious copy in the current directory and execute it instead of the legitimate system binary [1][2]. No special privileges are needed beyond the ability to write files into a directory the victim will later access.

Impact

Successful exploitation allows the attacker to achieve arbitrary code execution in the context of the victim user. Depending on the victim's privileges, this could lead to complete system compromise, including data theft, installation of malware, or privilege escalation if the victim is an administrator [1]. The impact is similar to a classic path traversal or DLL hijacking vulnerability, but specifically targets executable files.

Mitigation

Microsoft has not provided an official patch for this behavior, as it is a fundamental design choice of the Windows NT operating system. The recommended mitigation is to avoid running untrusted executables from non-system directories and to enforce strict permissions on all directories to prevent unauthorized writes [1]. Using a different command shell (e.g., bash from Cygwin) that does not follow the Windows search order may help, but CreateProcess() itself will still prioritize the current directory [2]. Administrators should review and harden the directory permissions, ensuring users cannot write to directories where they might later execute commands.