High (very dependent on product configuration and operating environment)
December 8, 2003: Added URL to patch downloads for use in lieu of LiveUpdate.
Security analysts from Secure Network Operations notified Symantec of a vulnerability in the Symantec pcAnywhere application. Depending on the configuration, a non-privileged user could access and manipulate Symantec pcAnywhere's help function to gain privileged access on the local system.
Symantec pcAnywhere version 11
Symantec pcAnywhere version 10.x
Secure Network Operations analysts notified Symantec of an issue they discovered in the functionality of the help interface in the Symantec pcAnywhere GUI. By effectively manipulating the help interface, Secure Network Operations analysts were able to demonstrate that a non-privileged user could gain privileged access to files or functionality on the local system with Symantec pcAnywhere running in service-mode.
Symantec pcAnywhere can be run in various configurations. It can run either in "application-mode" or it can be configured in "service-mode" to launch as a service whenever the host boots up. Symantec pcAnywhere is ONLY vulnerable to this issue when running in service-mode. Symantec pcAnywhere is NOT vulnerable in application-mode.
In order for Secure Network Operations analysts to exploit this vulnerability, they configured Symantec pcAnywhere to run as a service so it would launch on system start-up. In this configuration, a non-privileged user, provided they have user access to that specific host, could log onto the system where Symantec pcAnywhere is running.
While the non-privileged user cannot access the remote functionality of Symantec pcAnywhere without additional authorization/authentication, the non-privileged user can still access the help file from the Symantec pcAnywhere GUI.
The Symantec pcAnywhere help functionality is implemented using an interface to the Windows operating system help function. This interface was made to provide the user with a common interface that the user understands, is use to, and is able to implement quickly and easily. However, there was a weakness in the way the interface was made that permits the Window help functionality to assume permissions from Symantec pcAnywhere. When run in service-mode Symantec pcAnywhere runs with SYSTEM privileges.
By effectively manipulating the help interface in the Symantec pcAnywhere GUI, the non-privileged user may gain the ability to search all system files, assume full permission for all directories and files on the host system, or even add themselves to the local administrative group.
Symantec verified this vulnerability does exist in the service-mode configuration of currently supported releases of Symantec pcAnywhere. This issue has been rectified and fixes are available via LiveUpdate to Symantec pcAnywhere. Patches for supported versions may also be downloaded from the following location:
Select your supported version of Symantec pcAnywhere and follow the instructions to download the appropriate update.
While this potentially is a high-risk vulnerability, there are various mitigating circumstances that greatly reduce the risk of intentional or inadvertent exploitation of this weakness in Symantec pcAnywhere.
- Symantec pcAnywhere must first be configured as a service by an admin-level user, launched and running on the machine BEFORE a non-privileged user could exploit this vulnerability
- If the host service is not running when the non-privileged user logs on the machine in question, they have NO ABILITY to configure and launch Symantec pcAnywhere in a manner where this exploit will be present
- Setting up the Symantec pcAnywhere Host service (and launching it) requires administrative privileges
- The user must have a user-account on the host system and be logged on interactively to exploit this issue
- This issue cannot be exploited remotely
- System privileges can be gained only on the local system, which normally limits the impact to the user system
- Although Symantec pcAnywhere allows remote control and management of other systems, additional identification and authentication is required by default to gain access to any remotely managed systems
- Just gaining SYSTEM-level access on the local host does not provide additional access to any remote system(s) through Symantec pcAnywhere
- Access to remote administration capability should normally be restricted to trusted Administrators only with additional restricted access to the physical host system(s)
Symantec strongly recommends all users of Symantec pcAnywhere upgrade to the latest LiveUpdate packages to prevent potential misuse of this local access weakness.
Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the efforts of KF and the Security Network Operations security team in identifying the issue and coordinating with Symantec during the fix process.
The Common Vulnerabilities and Exposure (CVE) initiative has assigned the name CAN-2003-0936 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Symantec takes the security and proper functionality of our products very seriously. As founding members of the Organization for Internet Safety (OISafety), Symantec supports and follows the principles of responsible disclosure. Symantec also subscribes to the vulnerability disclosure guidelines outlined by the National Infrastructure Advisory Council (NIAC).
Please contact firstname.lastname@example.org if you feel you have discovered a security issue in a Symantec product. A Symantec Product Security team member will contact you regarding your submission. Symantec strongly recommends using encrypted email for reporting vulnerability information to email@example.com. The Symantec Product Security PGP key can be found at the end of this message.
Symantec has developed a Product Vulnerability Response document outlining the process we follow in addressing suspected vulnerabilities in our products. This document is available below.
Copyright © by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from firstname.lastname@example.org.
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and email@example.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.
Last modified on: Monday, 25-Oct-04 15:16:19