CVE-1999-1365

Vulnerability

In Windows NT, the operating system searches a user's home directory (defaulting to %systemroot%, typically the root of the boot partition) before looking in %systemroot%\system32 or %systemroot% for critical executables such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE, and TASKMGR.EXE. This abnormal search order applies to the directory specified as the user's home directory in User Manager; when no home directory is set, the root of the boot partition is used. The behavior is present in Windows NT 4.0, including Service Pack 4, as reported in the original disclosure [1][2].

Exploitation

A local user with write access to the target user's home directory (or to the root of the boot partition if no home directory is configured) can exploit this by placing a malicious executable under the name of a trusted system binary (e.g., EXPLORER.EXE, USERINIT.EXE, NDDEAGNT.EXE, or TASKMGR.EXE) into that directory. When the targeted user logs on locally, Winlogon or the LSASS subsystem will execute the planted binary instead of the legitimate system file, as demonstrated by copying CALC.EXE to the root directory and renaming it to NDDEAGNT.EXE [1]. The attacker need only have write access to the location; no additional authentication or interaction beyond the login event is required [1][2].

Impact

Successful exploitation results in arbitrary code execution with the security privileges of the logged-on user. Because USERINIT.EXE and EXPLORER.EXE are launched during the interactive logon session of any user (including administrators), an attacker who places a Trojan in the appropriate directory can gain the privileges of that user, potentially escalating from a low-privileged local account to SYSTEM or administrative rights. The impact includes full compromise of confidentiality, integrity, and availability on the affected system [1].

Mitigation

Microsoft's initial response to the disclosure was that the system should be configured so that ordinary users do not have write access to the root directory (or to other users' home directories) [1]. No official patch was released at the time, and the underlying behavior is considered a design flaw. Administrators should ensure that the default home directory for users (which, when unset, points to the boot partition root) is set to a secure, non‑world‑writable location via User Manager. Additionally, restricting local user write permissions on the boot drive and applying the principle of least privilege are recommended workarounds. As of the publication date, this issue is not listed on the CISA KEV [1][2].