FW: Security Vulnerability with SMS 2.0 Remote Control

[Beisenmann () SCIENT COM (Brandon Eisenmann)]

> -----Original Message-----
> From: Frank Monroe [SMTP:Frank.Monroe () AMMOBILE COM]
> Sent: Saturday, January 15, 2000 1:01 PM
> To:   NTBUGTRAQ () LISTSERV NTBUGTRAQ COM
> Subject:      Security Vulnerability with SMS 2.0 Remote Control
>
> I noticed the problem that I explain below when SMS 2.0 was released.  I
> didn't see this in the archives so if it has already been reported, I
> apologize.
>
> One of the features of SMS 2.0, Remote Control, introduces a security risk
> that will allow the attacker to run programs in system context.  In system
> context, the program can do pretty much whatever it wants to.  The risk is
> due to the fact that the executable used for the remote control service is
> copied to the workstation without any special permission settings to
> prevent
> a user from replacing the executable.  This only matters on NTFS
> permissions, of course.
>
> Here is an easy way to see the problem:
>
> *       Rename %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE to *.OLD
> *       Copy %SystemRoot%\System32\musrmgr.exe to
> %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
> *       Reboot PC
>
> After you reboot the PC, user manager will run.  At this point, the non
> admin user can grant administrator privileges to whoever he wants.
>
> To get around the issue, create the \ms\sms\clicomp\remctrl directory and
> set appropriate permissions on the directory before SMS is installed.  If
> SMS is already installed, you can simply change the permissions on the
> directory and contents.
>
> Frank