-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Symantec Security Response Advisory 13 November 2003 Symantec pcAnywhere Service-Mode Help File Elevation of Privilege Risk Impact High (very dependent on product configuration and operating environment) Overview Security analysts from Secure Network Operations notified Symantec of a vulnerability in the Symantec pcAnywhere application. Depending on the configuration, a non-privileged user could access and manipulate Symantec pcAnywhere's help function to gain privileged access on the local system. Affected Components Symantec pcAnywhere version 11 Symantec pcAnywhere version 10.x Details Secure Network Operations analysts notified Symantec of an issue they discovered in the functionality of the help interface in the Symantec pcAnywhere GUI. By effectively manipulating the help interface, Secure Network Operations analysts were able to demonstrate that a non-privileged user could gain privileged access to files or functionality on the local system with Symantec pcAnywhere running in service-mode. Symantec pcAnywhere can be run in various configurations. It can run either in "application-mode" or it can be configured in "service-mode" to launch as a service whenever the host boots up. Symantec pcAnywhere is ONLY vulnerable to this issue when running in service-mode. Symantec pcAnywhere is NOT vulnerable in application-mode. In order for Secure Network Operations analysts to exploit this vulnerability, they configured Symantec pcAnywhere to run as a service so it would launch on system start-up. In this configuration, a non-privileged user, provided they have user access to that specific host, could log onto the system where Symantec pcAnywhere is running. While the non-privileged user cannot access the remote functionality of Symantec pcAnywhere without additional authorization/authentication, the non-privileged user can still access the help file from the Symantec pcAnywhere GUI. The Symantec pcAnywhere help functionality is implemented using an interface to the Windows operating system help function. This interface was made to provide the user with a common interface that the user understands, is use to, and is able to implement quickly and easily. However, there was a weakness in the way the interface was made that permits the Window help functionality to assume permissions from Symantec pcAnywhere. When run in service-mode Symantec pcAnywhere runs with SYSTEM privileges. By effectively manipulating the help interface in the Symantec pcAnywhere GUI, the non-privileged user may gain the ability to search all system files, assume full permission for all directories and files on the host system, or even add themselves to the local administrative group. Symantec Response Symantec verified this vulnerability does exist in the service-mode configuration of currently supported releases of Symantec pcAnywhere. This issue has been rectified and fixes are available via LiveUpdate to Symantec pcAnywhere. Mitigating Circumstances While this potentially is a high-risk vulnerability, there are various mitigating circumstances that greatly reduce the risk of intentional or inadvertent exploitation of this weakness in Symantec pcAnywhere. * Symantec pcAnywhere must first be configured as a service by an admin-level user, launched and running on the machine BEFORE a non-privileged user could exploit this vulnerability o If the host service is not running when the non-privileged user logs on the machine in question, they have NO ABILITY to configure and launch Symantec pcAnywhere in a manner where this exploit will be present o Setting up the Symantec pcAnywhere Host service (and launching it) requires administrative privileges * The user must have a user-account on the host system and be logged on interactively to exploit this issue * This issue cannot be exploited remotely * System privileges can be gained only on the local system, which normally limits the impact to the user system * Although Symantec pcAnywhere allows remote control and management of other systems, additional identification and authentication is required by default to gain access to any remotely managed systems o Just gaining SYSTEM-level access on the local host does not provide additional access to any remote system(s) through Symantec pcAnywhere * Access to remote administration capability should normally be restricted to trusted Administrators only with additional restricted access to the physical host system(s) Symantec strongly recommends all users of supported versions of Symantec pcAnywhere update to the latest LiveUpdate packages to prevent potential misuse of this local access weakness. Credit Symantec takes the security and proper functionality of its products very seriously. Symantec appreciates the efforts of KF and the Security Network Operations security team in identifying this issue and coordinating with Symantec during the fix process. CVE The Common Vulnerabilities and Exposure (CVE) initiative has assigned the name CAN-2003-0936 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Anyone with information on security issues with Symantec products should contact symsecurity@symantec.com. Copyright (c) 2003 by Symantec Corp. Permission to redistribute this Advisory electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this Advisory in a medium other than electronically requires permission from symsecurity@symantec.com. Disclaimer: The information in the advisory is believed to be accurate at the time of printing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect or consequential loss or damage arising from use of, or reliance on this information. Symantec, Symantec Security Response, Symantec product names and Sym Security are Registered Trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners. Symantec Product Security symsecurity@symantec.com http://securityresponse.symantec.com -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.1 iQA/AwUBP7PzoBMwEkwA14VxEQLniQCg0D/vS6OW0RxOxSUrYvITX+2D0WQAnRi6 4PO5WzHNbtOBP4IT/xRHkyst =q9s2 -----END PGP SIGNATURE-----
