SMS 2.0 Remote Control


    Frank Monroe  found following.   He noticed  the problem  that  he
    explain below when SMS 2.0 was  released.  One of the features  of
    SMS  2.0,  Remote  Control,  introduces  a security risk that will
    allow the attacker to run  programs in system context.   In system
    context, the  program can  do pretty  much whatever  it wants  to.
    The risk  is due  to the  fact that  the executable  used for  the
    remote control service  is copied to  the workstation without  any
    special permission settings to  prevent a user from  replacing the
    executable.  This only matters on NTFS permissions, of course.
    Here is an easy way to see the problem:

        * Copy %SystemRoot%\System32\musrmgr.exe to %SMS_LOCAL_DIR%\MS\SMS\CLICOMP\REMCTRL\WUSER32.EXE
        * Reboot PC

    After you reboot the  PC, user manager will  run.  At this  point,
    the non admin user  can grant administrator privileges  to whoever
    he wants.


    To  get  around  the  issue,  create  the  \ms\sms\clicomp\remctrl
    directory and set appropriate permissions on the directory  before
    SMS is  installed.   If SMS  is already  installed, you can simply
    change the permissions on  the directory and contents.   Hopefully
    MS will decide to fix this in the next SMS 2.0 SP.