Symantec pcAnywhere (run on connect) privilege escalation
1063
06 March 2020
10 June 2005
CLOSED
MEDIUM
SUMMARY
Symantec pcAnywhere provides the option to run user defined commands when the remote host is connected. Enabling the “Launch with Windows” from the Host Properties Settings tab configures the pcAnyware host to run as a service with Local System privileges.
AFFECTED PRODUCTS
Affected Products (Consumer and Enterprise versions)
Symantec pcAnywhere All unsupported versions prior to 10.5x Symantec pcAnywhere version 10.5x Symantec pcAnywhere version 11x
ADDITIONAL PRODUCT INFORMATION
Products Not Affected
Symantec pcAnywhere 11.5
Note: Only Symantec products indicated above are potentially vulnerable. All other Symantec products are NOT affected
ISSUES
A non-privileged user with physical access to the system can potentially manipulate the Caller Properties feature to run arbitrary commands that will be executed with system level privileges when the system is restarted. This could potentially allow them to gain unauthorized Local System privilege on the targeted system.
MITIGATION
Symantec Response
Symantec has released a patch to address this issue. The patch can be downloaded from the Symantec technical support site. This patch ensures all commands launched through "Command to execute after connection" are launched within the scope of the logged in user’s access rights.
Symantec is not aware of any active attempts against or organizations impacted by this issue.
Recommendations:
Patches for this issue can be downloaded from the following locations:
For consumer versions of Symantec pcAnywhere:
http://www.symantec.com/techsupp/files/pca/index.html
For enterprise versions of Symantec pcAnywhere:
http://www.symantec.com/techsupp/enterprise/products/spca/files.html
Select your supported version of Symantec pcAnywhere and follow the instructions to download the appropriate update.
As a part of normal best practices, users should keep vendor-supplied patches for all application software and operating systems up-to-date. Symantec strongly recommends any affected customers update their product immediately to protect against these types of threats