SRT2003-11-13-0218 - PCAnywhere local SYSTEM exploit

[KF <dotslash () snosoft com>]

Secure Network Operations, Inc.             http://www.secnetops.com/research
Strategic Reconnaissance Team               research () secnetops com
Team Lead Contact                           kf () secnetops com


Our Mission:
************************************************************************
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at http://www.secnetops.com, or 
call us at: 978-263-3829


Quick Summary:
************************************************************************
Advisory Number         : SRT2003-11-13-0218
Product                 : Symantec PCAnywhere
Version                 : 10.x and 11.x
Vendor                  : http://www.symantec.com/pcanywhere/
Class                   : Local
Criticality             : High (to PCAnywhere users)
Operating System(s)     : Win32


Notice
************************************************************************
The full technical details of this vulnerability can be found at:
http://www.secnetops.com under the research section. 


Basic Explanation
************************************************************************
High Level Description  : PCAnywhere allows local users to become SYSTEM
What to do              : run LiveUpdate and apply latest patches. 


Basic Technical Details
************************************************************************
Proof Of Concept Status : SNO has proof of concept. 

Low Level Description   : PCAnywhere is an industry-leading remote control
software that features remote management paired with file transfer capabilities.
PCAnywhere has the ability to help quickly resolve helpdesk and server support 
issues.

When PCAnywhere is started as a service or set to launch with windows an
attacker may be able to take SYSTEM rights via the help interface. AWHOST32.exe 
runs as the user SYSTEM while interacting with the local desktop on the machine 
that PCAnywhere is listening. Users have the ability to interact with AWHOST32
via an icon in the Windows systray. 

Brett Moore of security-assessment.com pointed out a flaw in the Win32 help 
API which can be found at http://www.securityfocus.com/bid/8884 . A variation 
of this attack is present in both PCAnywhere 10 and 11. It is unknown how this
issue affects older versions of PCAnywhere since they are no longer supported
products.

full details at http://www.secnetops.biz/research/SRT2003-11-13-0218.txt

Vendor Status           : Symantec promptly attended to the issue and 
was very responsive during all phases of discovery / research and patching. 
Fixes are now available via LiveUpdate. 

Bugtraq URL             : To be assigned. CVE candidate CAN-2003-0936.
Disclaimer
----------------------------------------------------------------------
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at sales () secnetops com for further information on how to 
obtain proof of concept code.

----------------------------------------------------------------------
Secure Network Operations, Inc. || http://www.secnetops.com
"Embracing the future of technology, protecting you."