OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
Bugtraq Archives: FW: Security Vulnerability with SMS 2.0 Remot

FW: Security Vulnerability with SMS 2.0 Remote Control

Subject: FW: Security Vulnerability with SMS 2.0 Remote Control
From: Brandon Eisenmann (BeisenmannSCIENT.COM)
Date: Thu Jan 20 2000 - 15:53:23 CST

> -----Original Message-----
> From: Frank Monroe [SMTP:Frank.MonroeAMMOBILE.COM]
> Sent: Saturday, January 15, 2000 1:01 PM
> To: NTBUGTRAQLISTSERV.NTBUGTRAQ.COM
> Subject: Security Vulnerability with SMS 2.0 Remote Control
>
> I noticed the problem that I explain below when SMS 2.0 was released. I
> didn't see this in the archives so if it has already been reported, I
> apologize.
>
> One of the features of SMS 2.0, Remote Control, introduces a security risk
> that will allow the attacker to run programs in system context. In system
> context, the program can do pretty much whatever it wants to. The risk is
> due to the fact that the executable used for the remote control service is
> copied to the workstation without any special permission settings to
> prevent
> a user from replacing the executable. This only matters on NTFS
> permissions, of course.
>
> Here is an easy way to see the problem:
>
> * Rename %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE to *.OLD
> * Copy %SystemRoot%\System32\musrmgr.exe to
> %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
> * Reboot PC
>
> After you reboot the PC, user manager will run. At this point, the non
> admin user can grant administrator privileges to whoever he wants.
>
> To get around the issue, create the \ms\sms\clicomp\remctrl directory and
> set appropriate permissions on the directory before SMS is installed. If
> SMS is already installed, you can simply change the permissions on the
> directory and contents.
>
> Frank

This archive was generated by hypermail 2b27 : Fri Jan 21 2000 - 13:53:57 CST