SRT2003-11-13-0218 - PCAnywhere local SYSTEM exploit

Secure Network Operations, Inc. http://www.secnetops.com/research
Strategic Reconnaissance Team [email protected]
Team Lead Contact [email protected]

Our Mission:

Secure Network Operations offers expertise in Networking, Intrusion
Detection Systems (IDS), Software Security Validation, and
Corporate/Private Network Security. Our mission is to facilitate a
secure and reliable Internet and inter-enterprise communications
infrastructure through the products and services we offer.

To learn more about our company, products and services or to request a
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or
call us at: 978-263-3829

Quick Summary:

Advisory Number : SRT2003-11-13-0218
Product : Symantec PCAnywhere
Version : 10.x and 11.x
Vendor : http://www.symantec.com/pcanywhere/
Class : Local
Criticality : High (to PCAnywhere users)
Operating System(s) : Win32

Notice

The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section.

Basic Explanation

High Level Description : PCAnywhere allows local users to become SYSTEM
What to do : run LiveUpdate and apply latest patches.

Basic Technical Details

Proof Of Concept Status : SNO has proof of concept.

Low Level Description : PCAnywhere is an industry-leading remote control
software that features remote management paired with file transfer capabilities.
PCAnywhere has the ability to help quickly resolve helpdesk and server support
issues.

When PCAnywhere is started as a service or set to launch with windows an
attacker may be able to take SYSTEM rights via the help interface. AWHOST32.exe
runs as the user SYSTEM while interacting with the local desktop on the machine
that PCAnywhere is listening. Users have the ability to interact with AWHOST32
via an icon in the Windows systray.

Brett Moore of security-assessment.com pointed out a flaw in the Win32 help
API which can be found at http://www.securityfocus.com/bid/8884 . A variation
of this attack is present in both PCAnywhere 10 and 11. It is unknown how this
issue affects older versions of PCAnywhere since they are no longer supported
products.

full details at http://www.secnetops.biz/research/SRT2003-11-13-0218.txt

Vendor Status : Symantec promptly attended to the issue and
was very responsive during all phases of discovery / research and patching.
Fixes are now available via LiveUpdate.

Bugtraq URL : To be assigned. CVE candidate CAN-2003-0936.
Disclaimer

This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract… Contact our sales
department at [email protected] for further information on how to
obtain proof of concept code.

Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."