Vulnerabilities / Threats
2/21/2012
11:58 AM
Connect Directly
RSS
E-Mail
50%
50%

Symantec pcAnywhere Remote Attack Code Surfaces

Researchers warn that even fully patched pcAnywhere is vulnerable to newly revealed exploits.

Anonymous: 10 Facts About The Hacktivist Group
Anonymous: 10 Facts About The Hacktivist Group
(click image for larger view and for slideshow)
Code has been published that attackers could use to crash fully patched versions of pcAnywhere on any Windows PC, without first having to authenticate to the PC.

The exploit details arrived Friday in the form of a Pastebin post from Johnathan Norman, director of security research at Alert Logic. Advertised as a "PCAnywhere Nuke," the Python code can be used to create a denial of service (DoS) by crashing "the ashost32 service," he said in the post. "It'll be respawned so if you want to be a real pain you'll need to loop this...my initial impressions are that controlling execution will be a pain." He said the exploit works even against the most recent, fully patched version of pcAnywhere (version 12.5.0 build 463 and earlier).

"Symantec is aware of the posting and is investigating the claims," said Symantec spokeswoman Katherine James via email. "We have no additional information to provide at this time."

Symantec last month recommended that users disable pcAnywhere unless absolutely required, until the company had an opportunity to release a patch (which it did last month) to address a critical vulnerability that would allow attackers to remotely execute arbitrary code on a user's PC. That vulnerability was discovered by Edward Torkington at NGS Secure, who said he was withholding full details of the bug until April 25, 2012, to give people time to patch their pcAnywhere installations.

[ Learn 10 Strategies To Fight Anonymous DDoS Attacks. ]

Torkington's bug, however, apparently isn't the only vulnerability that researchers have recently unearthed. "I've been working on the remote preauth PCAnywhere vulnerability reported a few weeks ago and stumbled on a few other flaws during my research," Norman said on his blog. "Not sure what I'm going to do with all of them."

Concerns have been mounting over the security of the remote-access tool pcAnywhere since Symantec confirmed that the source code for the application had been stolen in 2006. But Symantec realized that the theft had occurred only after the hacking group Lords of Dharmaraja last month released what they said was a snippet of source code from Symantec's Norton Utilities to Pastebin.

Since then, officials at Symantec said the hackers had attempted to extort the company, offering to not release the source code in exchange for $50,000. After Symantec refused to pay, the hackers shared the source code with Anonymous, which promptly released it via BitTorrent.

The worry is that with the source code now widely available, attackers could potentially identify zero-day attacks that would allow them to take control of pcAnywhere, thus gaining direct access to a PC.

Notably, Norman's research was conducted without using the leaked source code. "If I had the source code, I could potentially get into legal trouble with Symantec," he said via email. But thanks to the leak, "it is now effectively open source, which will likely result in many other vulnerabilities being released soon...by guys like me."

Those worries intensified Friday, after an anonymous review of the pcAnywhere source code appeared on the Infosec Institute's website, detailing that much of code base, at least as of version 12.0.2, dated from 2002. In addition, it said, the leaked code includes full source code for Symantec's LiveUpdate on Windows, Macintosh, and Linux.

According to the review, the source code that leaked in 2006 also included source code and documentation for pcAnywhere versions 9.2 through 12.0.2, and the code was "heavily commented with dates for all changes." According to those date stamps, "a surprising amount of the core code originates from what is now 10 years ago with only a few added changes, mainly to accommodate changes in Windows versions."

Still, having a largely extant base isn't surprising, according to the review. "This makes sense considering the huge expense and undertaking of periodically re-writing an existing product, especially when Windows strives so hard to keep backwards compatibility and does not warrant big changes to be made of the developer."

But the release of the source code is a cause for concern. "For hackers, the sky is the limit as hackers now have all of the juicy details of the pcAnywhere product as well as accompanying source code for all related components. pcAnywhere is now pcEverywhere," according to the review. "We now know how their LiveUpdate system works thanks to the included architecture plans and full source code, which is also used to update Symantec's current antivirus products.

"The only hope for Symantec and pcAnywhere is that these days users typically do not run their home or office computers with the ports required for this product open to the Internet," according to the review. "So attacks for this particular product across the Internet are minimal. However, hackers always seem to find a way."

To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
YRAV000
50%
50%
YRAV000,
User Rank: Apprentice
2/22/2012 | 4:20:17 AM
re: Symantec pcAnywhere Remote Attack Code Surfaces
Considering the high amount of reused code in pc Anywhere, the software is highly vulnerable because attackers can now detect flaws in the code that can be exploited, the researcher wrote.
Bprince
50%
50%
Bprince,
User Rank: Ninja
2/21/2012 | 10:28:57 PM
re: Symantec pcAnywhere Remote Attack Code Surfaces
May be wise to disable pcAnywhere again until this is addressed...
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0607
Published: 2014-07-24
Unrestricted file upload vulnerability in Attachmate Verastream Process Designer (VPD) before R6 SP1 Hotfix 1 allows remote attackers to execute arbitrary code by uploading and launching an executable file.

CVE-2014-1419
Published: 2014-07-24
Race condition in the power policy functions in policy-funcs in acpi-support before 0.142 allows local users to gain privileges via unspecified vectors.

CVE-2014-2360
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules allow remote attackers to execute arbitrary code via packets that report a high battery voltage.

CVE-2014-2361
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules, when BreeZ is used, do not require authentication for reading the site security key, which allows physically proximate attackers to spoof communication by obtaining this key after use of direct hardware access or manual-setup mode.

CVE-2014-2362
Published: 2014-07-24
OleumTech WIO DH2 Wireless Gateway and Sensor Wireless I/O Modules rely exclusively on a time value for entropy in key generation, which makes it easier for remote attackers to defeat cryptographic protection mechanisms by predicting the time of project creation.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.