Current Working Directory Security Resource
A misguided user can be the source of real problems stemming from within his or her current working directory. The default working directory is defined in the user's account properties, and is otherwise known as the home directory. If a hacker has somehow broken into a user's account, some level of risk exists. The current working directory is searched, in addition to the directories specified in the PATH variable. A cracker may place executables in the working directory that replaces the intended system calls. Thus, if an application is run from a directory other than the system or program directory, a rewritten *.DLL impostor may be executed rather than the intended one. This *.DLL may perform the same tasks as the intended code, in addition to providing the cracker access to the system at the user's privilege level. If this happens from an ordinary user's account, the resulting problems will ordinarily be restricted to that account. However, if it happens from an administrator's account, the entire system and perhaps the domain could be damaged. Obviously, this can lead to problems when usersand especially administratorsexecute applications from directories that are not secure. To prevent working directory mishaps, the following common-sense steps should be enforced:
Designate application directories and tightly configure permissions.
Regularly search the system for *.DLL files that are not located in the %SystemRoot%, Program Files, or other designated application directories.
Look for any type of executable created by unauthorized users.