Symantec pcAnywhere Service-Mode Help File Elevation of Privilege
1031
06 March 2020
13 November 2003
CLOSED
HIGH
7.2
SUMMARY
Security analysts from Secure Network Operations notified Symantec of a vulnerability in the Symantec pcAnywhere application. Depending on the configuration, a non-privileged user could access and manipulate Symantec pcAnywhere's help function to gain privileged access on the local system.
Risk
High (very dependent on product configuration and operating environment)
AFFECTED PRODUCTS
Affected Components
Symantec pcAnywhere version 11
Symantec pcAnywhere version 10.x
ISSUES
Details
Secure Network Operations analysts notified Symantec of an issue they discovered in the functionality of the help interface in the Symantec pcAnywhere GUI. By effectively manipulating the help interface, Secure Network Operations analysts were able to demonstrate that a non-privileged user could gain privileged access to files or functionality on the local system with Symantec pcAnywhere running in service-mode.
Symantec pcAnywhere can be run in various configurations. It can run either in "application-mode" or it can be configured in "service-mode" to launch as a service whenever the host boots up. Symantec pcAnywhere is ONLY vulnerable to this issue when running in service-mode. Symantec pcAnywhere is NOT vulnerable in application-mode.
In order for Secure Network Operations analysts to exploit this vulnerability, they configured Symantec pcAnywhere to run as a service so it would launch on system start-up. In this configuration, a non-privileged user, provided they have user access to that specific host, could log onto the system where Symantec pcAnywhere is running.
While the non-privileged user cannot access the remote functionality of Symantec pcAnywhere without additional authorization/authentication, the non-privileged user can still access the help file from the Symantec pcAnywhere GUI.
The Symantec pcAnywhere help functionality is implemented using an interface to the Windows operating system help function. This interface was made to provide the user with a common interface that the user understands, is use to, and is able to implement quickly and easily. However, there was a weakness in the way the interface was made that permits the Window help functionality to assume permissions from Symantec pcAnywhere. When run in service-mode Symantec pcAnywhere runs with SYSTEM privileges.
By effectively manipulating the help interface in the Symantec pcAnywhere GUI, the non-privileged user may gain the ability to search all system files, assume full permission for all directories and files on the host system, or even add themselves to the local administrative group.
The Common Vulnerabilities and Exposure (CVE) initiative has assigned the name CAN-2003-0936 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
MITIGATION
Symantec Response
Symantec verified this vulnerability does exist in the service-mode configuration of currently supported releases of Symantec pcAnywhere. This issue has been rectified and fixes are available via LiveUpdate to Symantec pcAnywhere. Patches for supported versions may also be downloaded from the following location:
http://www.symantec.com/techsupp/files/pca/
Select your supported version of Symantec pcAnywhere and follow the instructions to download the appropriate update.
Mitigating Circumstances
While this potentially is a high-risk vulnerability, there are various mitigating circumstances that greatly reduce the risk of intentional or inadvertent exploitation of this weakness in Symantec pcAnywhere.
- Symantec pcAnywhere must first be configured as a service by an admin-level user, launched and running on the machine BEFORE a non-privileged user could exploit this vulnerability
- If the host service is not running when the non-privileged user logs on the machine in question, they have NO ABILITY to configure and launch Symantec pcAnywhere in a manner where this exploit will be present
- Setting up the Symantec pcAnywhere Host service (and launching it) requires administrative privileges
- If the host service is not running when the non-privileged user logs on the machine in question, they have NO ABILITY to configure and launch Symantec pcAnywhere in a manner where this exploit will be present
- The user must have a user-account on the host system and be logged on interactively to exploit this issue
- This issue cannot be exploited remotely
- System privileges can be gained only on the local system, which normally limits the impact to the user system
- Although Symantec pcAnywhere allows remote control and management of other systems, additional identification and authentication is required by default to gain access to any remotely managed systems
- Just gaining SYSTEM-level access on the local host does not provide additional access to any remote system(s) through Symantec pcAnywhere
- Just gaining SYSTEM-level access on the local host does not provide additional access to any remote system(s) through Symantec pcAnywhere
- Access to remote administration capability should normally be restricted to trusted Administrators only with additional restricted access to the physical host system(s)
Symantec strongly recommends all users of Symantec pcAnywhere upgrade to the latest LiveUpdate packages to prevent potential misuse of this local access weakness.
ACKNOWLEDGEMENTS
Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the efforts of KF and the Security Network Operations security team in identifying the issue and coordinating with Symantec during the fix process
REVISION
Revisions
December 8, 2003: Added URL to patch downloads for use in lieu of LiveUpdate.