<<< Date Index >>>     <<< Thread Index >>>

RE: Secure Network Operations SRT2003-11-13-0218, PCAnywhere allows local users to become SYSTEM



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Symantec Security Response Advisory 

13 November 2003
Symantec pcAnywhere Service-Mode Help File Elevation of Privilege

Risk Impact
High (very dependent on product configuration and operating
environment)

Overview
Security analysts from Secure Network Operations notified Symantec of
a vulnerability in the Symantec pcAnywhere application.  Depending on
the configuration, a non-privileged user could access and manipulate
Symantec pcAnywhere's help function to gain privileged access on the
local system.

Affected Components
Symantec pcAnywhere version 11
Symantec pcAnywhere version 10.x

Details

Secure Network Operations analysts notified Symantec of an issue they
discovered in the functionality of the help interface in the Symantec
pcAnywhere GUI.  By effectively manipulating the help interface,
Secure Network Operations analysts were able to demonstrate that a
non-privileged user could gain privileged access to files or
functionality on the local system with Symantec pcAnywhere running in
service-mode.

Symantec pcAnywhere can be run in various configurations.  It can run
either in "application-mode" or it can be configured in
"service-mode" to launch as a service whenever the host boots up. 
Symantec pcAnywhere is ONLY vulnerable to this issue when running in
service-mode.  Symantec pcAnywhere is NOT vulnerable in
application-mode.

In order for Secure Network Operations analysts to exploit this
vulnerability, they configured Symantec pcAnywhere to run as a
service so it would launch on system start-up.  In this
configuration, a non-privileged user, provided they have user access
to that specific host, could log onto the system where Symantec
pcAnywhere is running. 

While the non-privileged user cannot access the remote functionality
of Symantec pcAnywhere without additional
authorization/authentication, the non-privileged user can still
access the help file from the Symantec pcAnywhere GUI.

The Symantec pcAnywhere help functionality is implemented using an
interface to the Windows operating system help function.  This
interface was made to provide the user with a common interface that
the user understands, is use to, and is able to implement quickly and
easily.  However, there was a weakness in the way the interface was
made that permits the Window help functionality to assume permissions
from Symantec pcAnywhere.  When run in service-mode Symantec
pcAnywhere runs with SYSTEM privileges.

By effectively manipulating the help interface in the Symantec
pcAnywhere GUI, the non-privileged user may gain the ability to
search all system files, assume full permission for all directories
and files on the host system, or even add themselves to the local
administrative group.

Symantec Response

Symantec verified this vulnerability does exist in the service-mode
configuration of currently supported releases of Symantec pcAnywhere.
 This issue has been rectified and fixes are available via LiveUpdate
to Symantec pcAnywhere.

Mitigating Circumstances

While this potentially is a high-risk vulnerability, there are
various mitigating circumstances that greatly reduce the risk of
intentional or inadvertent exploitation of this weakness in Symantec
pcAnywhere. 

* Symantec pcAnywhere must first be configured as a service by an
admin-level user, launched and running on the machine BEFORE a
non-privileged user could exploit this vulnerability 
o If the host service is not running when the non-privileged user
logs on the machine in question, they have NO ABILITY to configure
and launch Symantec pcAnywhere in a manner where this exploit will be
present 
o Setting up the Symantec pcAnywhere Host service (and launching it)
requires administrative privileges 
* The user must have a user-account on the host system and be logged
on interactively to exploit this issue
* This issue cannot be exploited remotely
* System privileges can be gained only on the local system, which
normally limits the impact to the user system
* Although Symantec pcAnywhere allows remote control and management
of other systems, additional identification and authentication is
required by default to gain access to any remotely managed systems
o   Just gaining SYSTEM-level access on the local host does not
provide additional access to any remote system(s) through Symantec
pcAnywhere
* Access to remote administration capability should normally be
restricted to trusted Administrators only with additional restricted
access to the physical host system(s)

Symantec strongly recommends all users of supported versions of
Symantec pcAnywhere update to the latest LiveUpdate packages to
prevent potential misuse of this local access weakness.

Credit
Symantec takes the security and proper functionality of its products
very seriously. Symantec appreciates the efforts of KF and the
Security Network Operations security team in identifying this issue
and coordinating with Symantec during the fix process. 

CVE
The Common Vulnerabilities and Exposure (CVE) initiative has assigned
the name CAN-2003-0936 to this issue.
This is a candidate for inclusion in the CVE list
(http://cve.mitre.org), which standardizes names for security
problems.

Anyone with information on security issues with Symantec products
should contact symsecurity@xxxxxxxxxxxxx

Copyright (c) 2003 by Symantec Corp. 
Permission to redistribute this Advisory electronically is granted as
long as it is not edited in any way unless authorized by Symantec
Security Response. Reprinting the whole or part of this Advisory in a
medium other than electronically requires permission from
symsecurity@xxxxxxxxxxxxx 

Disclaimer: 
The information in the advisory is believed to be accurate at the
time of printing based on currently available information. Use of the
information constitutes acceptance for use in an AS IS condition.
There are no warranties with regard to this information. Neither the
author nor the publisher accepts any liability for any direct,
indirect or consequential loss or damage arising from use of, or
reliance on this information. 

Symantec, Symantec Security Response, Symantec product names and Sym
Security are Registered Trademarks of Symantec Corp. and/or
affiliated companies in the United States and other countries. All
other registered and unregistered trademarks represented in this
document are the sole property of their respective companies/owners.

Symantec Product Security
symsecurity@xxxxxxxxxxxx
http://securityresponse.symantec.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.0.1

iQA/AwUBP7PzoBMwEkwA14VxEQLniQCg0D/vS6OW0RxOxSUrYvITX+2D0WQAnRi6
4PO5WzHNbtOBP4IT/xRHkyst
=q9s2
-----END PGP SIGNATURE-----