Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Symantec pcAnywhere Remote Code Execution

🗓️ 02 May 2012 00:00:00Reported by Edward TorkingtonType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 15 Views

Symantec pcAnywhere Remote Code Execution, TCP port 5631 vulnerability, Critical, Windows XP and Windows 7, Service restarts indefinitely

Code
`=======  
Summary  
=======  
Name: Symantec pcAnywhere Remote Code Execution (Preauth)   
Release Date: 30 April 2012  
Reference: NGS00118  
Discoverer: Edward Torkington <[email protected]>  
Vendor: Symantec  
Vendor Reference:   
Systems Affected:   
  
Symantec pcAnywhere 12.5.x  
IT Management Suite 7.0 pcAnywhere Solution 12.5.x  
IT Management Suite 7.1 pcAnywhere Solution 12.6.x  
  
Risk: Critical  
Status: Published  
  
========  
TimeLine  
========  
Discovered: 14 September 2011  
Released: 26 September 2011  
Approved: 26 September 2011  
Reported: 26 September 2011  
Fixed: 24 January 2012  
Published: 30 April 2012  
  
===========  
Description  
===========  
Symantec pcAnywhere Version 12.5 and below is vulnerable to a remote code execution vulnerability. A flaw exists in the authentication component listening on TCP port 5631 which does not sufficiently validate user-submitted data.   
  
=================  
Technical Details  
=================  
  
It is possible to supply an invalid login that causes heap corruption and an object pointer overwrite. We end up in with a reliable overwrite of EAX as detailed below:  
  
mov ECX,DWORD PTR DS:[EAX]   
mov EDX,DWORD PTR DS:[ECX+8]  
push EAX  
call EDX  
  
A reliable overwrite in (non-rebasing/ASLR DLLs) of a fully patched Windows XP SP3 was found such that remote command execution can be gained.  
  
As the service restarts indefinitely, a reliable exploit in Windows 7 was also developed which effectively brute-forces a valid address to bypass ASLR.   
  
===============  
Fix Information  
===============  
http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00  
  
NGS Secure Research  
http://www.ngssecure.com  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
02 May 2012 00:00Current
0.5Low risk
Vulners AI Score0.5
symantecremote code executiontcp port 5631critical riskwindows xpwindows 7service restarts
15