> -----Original Message----- > From: Frank Monroe [SMTP:[EMAIL PROTECTED]] > Sent: Saturday, January 15, 2000 1:01 PM > To: [EMAIL PROTECTED] > Subject: Security Vulnerability with SMS 2.0 Remote Control > > I noticed the problem that I explain below when SMS 2.0 was released. I > didn't see this in the archives so if it has already been reported, I > apologize. > > One of the features of SMS 2.0, Remote Control, introduces a security risk > that will allow the attacker to run programs in system context. In system > context, the program can do pretty much whatever it wants to. The risk is > due to the fact that the executable used for the remote control service is > copied to the workstation without any special permission settings to > prevent > a user from replacing the executable. This only matters on NTFS > permissions, of course. > > Here is an easy way to see the problem: > > * Rename %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE to *.OLD > * Copy %SystemRoot%\System32\musrmgr.exe to > %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE > * Reboot PC > > After you reboot the PC, user manager will run. At this point, the non > admin user can grant administrator privileges to whoever he wants. > > To get around the issue, create the \ms\sms\clicomp\remctrl directory and > set appropriate permissions on the directory before SMS is installed. If > SMS is already installed, you can simply change the permissions on the > directory and contents. > > Frank
