Microsoft » Windows Nt : Security Vulnerabilities, CVEs, Published In 1999 CVSS score >= 6

RSH service utility RSHSVC in Windows NT 3.5 through 4.0 does not properly restrict access as specified in the .Rhosts file when a user comes from an authorized host, which could allow unauthorized users to access the service by logging in from an authorized host.

Windows NT searches a user's home directory (%systemroot% by default) before other directories to find critical programs such as NDDEAGNT.EXE, EXPLORER.EXE, USERINIT.EXE or TASKMGR.EXE, which could allow local users to bypass access restrictions or gain privileges by placing a Trojan horse program into the root directory, which is writable by default.

When the Ntconfig.pol file is used on a server whose name is longer than 13 characters, Windows NT does not properly enforce policies for global groups, which could allow users to bypass restrictions that were intended by those policies.

Passfilt.dll in Windows NT SP2 allows users to create a password that contains the user's name, which could make it easier for an attacker to guess.

Windows NT 4.0 does not properly shut down invalid named pipe RPC connections, which allows remote attackers to cause a denial of service (resource exhaustion) via a series of connections containing malformed data, aka the "Named Pipes Over RPC" vulnerability.

Windows NT Local Security Authority (LSA) allows remote attackers to cause a denial of service via malformed arguments to the LsaLookupSids function which looks up the SID, aka "Malformed Security Identifier Request."

Windows NT does not properly download a system policy if the domain user logs into the domain with a space at the end of the domain name.

Denial of service in various Windows systems via malformed, fragmented IGMP packets.

Multihomed Windows systems allow a remote attacker to bypass IP source routing restrictions via a malformed packet with IP options, aka the "Spoofed Route Pointer" vulnerability.

The Windows NT 4.0 print spooler allows a local user to execute arbitrary commands due to inappropriate permissions that allow the user to specify an alternate print provider.

Buffer overflows in Windows NT 4.0 print spooler allow remote attackers to gain privileges or cause a denial of service via a malformed spooler request.

The security descriptor for RASMAN allows users to point to an alternate location via the Windows NT Service Control Manager.

Buffer overflow in IIS 4.0 allows remote attackers to cause a denial of service via a malformed request for files with .HTR, .IDC, or .STM extensions.

A Windows NT user can disable the keyboard or mouse by directly calling the IOCTLs which control them.

An attacker can conduct a denial of service in Windows NT by executing a program with a malformed file image header.

The Windows NT Client Server Runtime Subsystem (CSRSS) can be subjected to a denial of service when all worker threads are waiting for user input.

Denial of service in Windows NT Local Security Authority (LSA) through a malformed LSA request.

Buffer overflow in Microsoft Phone Dialer (dialer.exe), via a malformed dialer entry in the dialer.ini file.

The HKEY_CLASSES_ROOT key in a Windows NT system has inappropriate, system-critical permissions.

A Windows NT system's registry audit policy does not log an event success or failure for non-critical registry keys.

A Windows NT system's file audit policy does not log an event success or failure for non-critical files or directories.

Windows NT is not using a password filter utility, e.g. PASSFILT.DLL.

A system-critical Windows NT file or directory has inappropriate permissions.

Windows NT automatically logs in an administrator upon rebooting.

MSHTML.DLL in Internet Explorer 5.0 allows a remote attacker to paste a file name into the file upload intrinsic control, a variant of "untrusted scripted paste" as described in MS:MS98-013.