VULHUB ™

The Rdisk utility shipped with all versions of Windows NT4.0 is used to make an Emergency Repair Disk. During the creation of this disk, a temporary file ($$hive$$.tmp) is created in the %systemroot%\repair directory that contains the registry hives while they are being backed up. The group Everyone has Read permission to this file, and in this manner sensitive information about the server could be leaked. The file is put in a location that is not shared by default, and is removed immediately after the disk is created. The only likely scenario where this could be exploited is in the case of NT Terminal Server, where an administrator and a regular user could both be logged in interactively at the same time.

The Rdisk utility shipped with all versions of Windows NT4.0 is used to make an Emergency Repair Disk. During the creation of this disk, a temporary file ($$hive$$.tmp) is created in the %systemroot%\repair directory that contains the registry hives while they are being backed up. The group Everyone has Read permission to this file, and in this manner sensitive information about the server could be leaked. The file is put in a location that is not shared by default, and is removed immediately after the disk is created. The only likely scenario where this could be exploited is in the case of NT Terminal Server, where an administrator and a regular user could both be logged in interactively at the same time.