Bugtraq mailing list archives
FW: Security Vulnerability with SMS 2.0 Remote Control
From: Beisenmann () SCIENT COM (Brandon Eisenmann)
Date: Thu, 20 Jan 2000 13:53:23 -0800
-----Original Message----- From: Frank Monroe [SMTP:Frank.Monroe () AMMOBILE COM] Sent: Saturday, January 15, 2000 1:01 PM To: NTBUGTRAQ () LISTSERV NTBUGTRAQ COM Subject: Security Vulnerability with SMS 2.0 Remote Control I noticed the problem that I explain below when SMS 2.0 was released. I didn't see this in the archives so if it has already been reported, I apologize. One of the features of SMS 2.0, Remote Control, introduces a security risk that will allow the attacker to run programs in system context. In system context, the program can do pretty much whatever it wants to. The risk is due to the fact that the executable used for the remote control service is copied to the workstation without any special permission settings to prevent a user from replacing the executable. This only matters on NTFS permissions, of course. Here is an easy way to see the problem: * Rename %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE to *.OLD * Copy %SystemRoot%\System32\musrmgr.exe to %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE * Reboot PC After you reboot the PC, user manager will run. At this point, the non admin user can grant administrator privileges to whoever he wants. To get around the issue, create the \ms\sms\clicomp\remctrl directory and set appropriate permissions on the directory before SMS is installed. If SMS is already installed, you can simply change the permissions on the directory and contents. Frank
Current thread:
- FW: Security Vulnerability with SMS 2.0 Remote Control Brandon Eisenmann (Jan 20)
- <Possible follow-ups>
- Re: FW: Security Vulnerability with SMS 2.0 Remote Control Maniac . (Jan 21)