[13479] in bugtraq
FW: Security Vulnerability with SMS 2.0 Remote Control
daemon@ATHENA.MIT.EDU (Brandon Eisenmann)
Fri Jan 21 16:05:59 2000
Mime-Version: 1.0
Content-Type: text/plain
Message-Id: <91B3D7070413D311A0A70008C7916F5202F59DA7@mailsf02.sf.scient.com>
Date: Thu, 20 Jan 2000 13:53:23 -0800
Reply-To: Brandon Eisenmann <Beisenmann@SCIENT.COM>
From: Brandon Eisenmann <Beisenmann@SCIENT.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> -----Original Message-----
> From: Frank Monroe [SMTP:Frank.Monroe@AMMOBILE.COM]
> Sent: Saturday, January 15, 2000 1:01 PM
> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
> Subject: Security Vulnerability with SMS 2.0 Remote Control
>
> I noticed the problem that I explain below when SMS 2.0 was released. I
> didn't see this in the archives so if it has already been reported, I
> apologize.
>
> One of the features of SMS 2.0, Remote Control, introduces a security risk
> that will allow the attacker to run programs in system context. In system
> context, the program can do pretty much whatever it wants to. The risk is
> due to the fact that the executable used for the remote control service is
> copied to the workstation without any special permission settings to
> prevent
> a user from replacing the executable. This only matters on NTFS
> permissions, of course.
>
> Here is an easy way to see the problem:
>
> * Rename %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE to *.OLD
> * Copy %SystemRoot%\System32\musrmgr.exe to
> %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
> * Reboot PC
>
> After you reboot the PC, user manager will run. At this point, the non
> admin user can grant administrator privileges to whoever he wants.
>
> To get around the issue, create the \ms\sms\clicomp\remctrl directory and
> set appropriate permissions on the directory before SMS is installed. If
> SMS is already installed, you can simply change the permissions on the
> directory and contents.
>
> Frank
