Symantec pcAnywhere Chat Mode Privilege Elevation
1032
06 March 2020
21 November 2003
CLOSED
LOW
SUMMARY
A recent entry to the SecurityFocus BugTraq Vulnerability Database indicates an elevation of privilege vulnerability in the Symantec pcAnywhere application chat function when Symantec pcAnywhere is running in "service mode".
Risk Impact
Low (potential for local SYSTEM access, but HIGHLY dependent on environment, configuration and usage restrictions)
AFFECTED PRODUCTS
Affected Components
Symantec pcAnywhere version 9.x (no longer supported)
Symantec pcAnywhere version 10.x
ADDITIONAL PRODUCT INFORMATION
Not Affected
Symantec pcAnywhere version 11.x
ISSUES
Details
Symantec pcAnywhere provides a "chat session" capability during a remote control session. The host and remote users can have a chat session that is helpful for sending brief messages or instructions. As reported in the SecurityFocus Vulnerability alert, either user in the session can manipulate the GUI function while in chat mode to gain SYSTEM privileges on the local system. This could potentially gain a non-privileged, but authorized user, elevated access on the local HOST system.
By effectively manipulating the interface in the Symantec pcAnywhere chat session GUI with the underlying operating system, the non-privileged user may gain the ability to search all system files, assume full permission for all directories and files on the HOST system, or even add themselves to the local administrative group.
MITIGATION
Symantec Response
Symantec pcAnywhere 9.x is no longer a supported product. However, Symantec verified this vulnerability also exists in the service-mode configuration of the currently supported Symantec pcAnywhere 10.x. Symantec's current release, Symantec pcAnywhere 11.x is NOT vulnerable to this issue.
The pcAnywhere server (the HOST) is the distant or controlled device and must run in "service mode" to be managed. The pcAnywhere client (the REMOTE) is the local or controlling device and does not run in "service mode". The REMOTE manages properly configured HOSTS.
To access the chat feature, the REMOTE has to be actively interacting with the HOST and there has to be an authorized user logged on interactively at the HOST system.
It is in this configuration and only in this configuration that any potential elevation of privilege actions could be attempted. The chat feature cannot be accessed from the HOST's GUI running in the system tray until interactive communications have been established by the REMOTE.
Fixes for this issue have been made available via LiveUpdate to Symantec pcAnywhere 10.x. If LiveUpdate is not an option, patches for supported versions may also be downloaded from the following locations:
For consumer versions of Symantec pcAnywhere
http://www.symantec.com/techsupp/files/pca/
For enterprise versions of Symantec pcAnywhere
http://www.symantec.com/techsupp/enterprise/select_product_updates.html
Select your supported version of Symantec pcAnywhere and follow the instructions to download the appropriate update.
Mitigating Circumstances
There are numerous mitigating circumstances that greatly reduce the risk of intentional or inadvertent exploitation of this weakness in Symantec pcAnywhere.
- Symantec pcAnywhere HOST server MUST be configured as a service by an admin-level user and launched and running on the system
- The HOST system must be in an interactive session initiated by a REMOTE client controller BEFORE any user at the HOST system could exploit this vulnerability
- If the HOST service is not already configured and running when the non-privileged user logs on, they have NO ABILITY to configure and launch Symantec pcAnywhere
- The HOST system must be in an interactive session initiated by a REMOTE client controller BEFORE any user at the HOST system could exploit this vulnerability
- The REMOTE administrator, normally a trusted/privileged user has to initiate a management session with the local HOST system
- In the majority of instances where Symantec's pcAnywhere remote management functions would be used, the HOST system is a normally unmanned system (web, mail, file server, etc.)
- In the majority of instances where Symantec's pcAnywhere remote management functions would be used, the HOST system is a normally unmanned system (web, mail, file server, etc.)
- Should the REMOTE administrator be initiating a session with a manned HOST system, e.g., remote tech support of a user's desktop system, the HOST user would be a trusted/authorized user of that system, though not necessarily a privileged user
- Unauthorized system privileges can be gained ONLY on the local system, which normally limits the impact to the HOST system
- Although Symantec pcAnywhere provides remote control and management of other systems, additional identification and authentication is required by default to gain access to any remotely managed systems
- Gaining SYSTEM-level access on the local HOST system does NOT provide additional access to any remote system(s) through Symantec pcAnywhere
- Gaining SYSTEM-level access on the local HOST system does NOT provide additional access to any remote system(s) through Symantec pcAnywhere
- Access to REMOTE management/administration capabilities should normally be restricted to trusted Administrators only with additional restricted access to the physical system(s)
Symantec strongly recommends all users of Symantec pcAnywhere version 10.x apply the latest LiveUpdate packages or upgrade to the latest release of Symantec pcAnywhere to prevent potential misuse of this local access issue.
REVISION
Revision History
December 16, 2003: Added URL to download patches if Symantec LiveUpdate is not supported.