Symantec pcAnywhere Remote Attack Code Surfaces

  /     /     /  
Publicated : 22/11/2024   Category : security


Symantec pcAnywhere Remote Attack Code Surfaces


Researchers warn that even fully patched pcAnywhere is vulnerable to newly revealed exploits.



Anonymous: 10 Facts About The Hacktivist Group (click image for larger view and for slideshow)
Code has been published that attackers could use to crash fully patched versions of pcAnywhere on any Windows PC, without first having to authenticate to the PC.
The exploit details arrived Friday in the form of a
Pastebin post
from Johnathan Norman, director of security research at Alert Logic. Advertised as a PCAnywhere Nuke, the Python code can be used to create a denial of service (DoS) by crashing the ashost32 service, he said in the post. Itll be respawned so if you want to be a real pain youll need to loop this...my initial impressions are that controlling execution will be a pain. He said the exploit works even against the most recent,
fully patched version of pcAnywhere
(version 12.5.0 build 463 and earlier).
Symantec is aware of the posting and is investigating the claims, said Symantec spokeswoman Katherine James via email. We have no additional information to provide at this time.
Symantec last month recommended that
users disable pcAnywhere
unless absolutely required, until the company had an opportunity to release a patch (which it did last month) to address a critical vulnerability that would allow attackers to remotely execute arbitrary code on a users PC. That vulnerability was discovered by Edward Torkington at NGS Secure, who said he was withholding full details of the bug until April 25, 2012, to give people time to patch their pcAnywhere installations.
[ Learn
10 Strategies To Fight Anonymous DDoS Attacks
. ]
Torkingtons bug, however, apparently isnt the only vulnerability that researchers have recently unearthed. Ive been working on the remote preauth PCAnywhere vulnerability reported a few weeks ago and stumbled on a few other flaws during my research, Norman said on his
blog
. Not sure what Im going to do with all of them.
Concerns have been mounting over the security of the remote-access tool pcAnywhere since Symantec confirmed that the source code for the application had been stolen in 2006. But Symantec realized that the theft had occurred only after the hacking group
Lords of Dharmaraja
last month released what they said was a snippet of source code from Symantecs Norton Utilities to Pastebin.
Since then, officials at Symantec said the hackers had
attempted to extort
the company, offering to not release the source code in exchange for $50,000. After Symantec refused to pay, the hackers shared the source code with Anonymous, which promptly released it via BitTorrent.
The worry is that with the source code now widely available, attackers could potentially identify zero-day attacks that would allow them to take control of pcAnywhere, thus gaining direct access to a PC.
Notably, Normans research was conducted without using the leaked source code. If I had the source code, I could potentially get into legal trouble with Symantec, he said via email. But thanks to the leak, it is now effectively open source, which will likely result in many other vulnerabilities being released soon...by guys like me.
Those worries intensified Friday, after an anonymous
review of the pcAnywhere source code
appeared on the Infosec Institutes website, detailing that much of code base, at least as of version 12.0.2, dated from 2002. In addition, it said, the leaked code includes full source code for Symantecs LiveUpdate on Windows, Macintosh, and Linux.
According to the review, the source code that leaked in 2006 also included source code and documentation for pcAnywhere versions 9.2 through 12.0.2, and the code was heavily commented with dates for all changes. According to those date stamps, a surprising amount of the core code originates from what is now 10 years ago with only a few added changes, mainly to accommodate changes in Windows versions.
Still, having a largely extant base isnt surprising, according to the review. This makes sense considering the huge expense and undertaking of periodically re-writing an existing product, especially when Windows strives so hard to keep backwards compatibility and does not warrant big changes to be made of the developer.
But the release of the source code is a cause for concern. For hackers, the sky is the limit as hackers now have all of the juicy details of the pcAnywhere product as well as accompanying source code for all related components. pcAnywhere is now pcEverywhere, according to the review. We now know how their LiveUpdate system works thanks to the included architecture plans and full source code, which is also used to update Symantecs current antivirus products.
The only hope for Symantec and pcAnywhere is that these days users typically do not run their home or office computers with the ports required for this product open to the Internet, according to the review. So attacks for this particular product across the Internet are minimal. However, hackers always seem to find a way.
To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our
How (And Why) Attackers Choose Their Targets
report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)

Last News

▸ Criminal Possession of Government-Grade Stealth Malware ◂
Discovered: 23/12/2024
Category: security

▸ Senate wants changes to cybercrime law. ◂
Discovered: 23/12/2024
Category: security

▸ Car Sector Speeds Up In Security. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Symantec pcAnywhere Remote Attack Code Surfaces