(click image for larger view and for slideshow)
Code has been published that attackers could use to crash fully patched versions of pcAnywhere on any Windows PC, without first having to authenticate to the PC.
The exploit details arrived Friday in the form of a Pastebin post from Johnathan Norman, director of security research at Alert Logic. Advertised as a “PCAnywhere Nuke,” the Python code can be used to create a denial of service (DoS) by crashing “the ashost32 service,” he said in the post. “It’ll be respawned so if you want to be a real pain you’ll need to loop this…my initial impressions are that controlling execution will be a pain.” He said the exploit works even against the most recent, fully patched version of pcAnywhere (version 12.5.0 build 463 and earlier).
“Symantec is aware of the posting and is investigating the claims,” said Symantec spokeswoman Katherine James via email. “We have no additional information to provide at this time.”
Symantec last month recommended that users disable pcAnywhere unless absolutely required, until the company had an opportunity to release a patch (which it did last month) to address a critical vulnerability that would allow attackers to remotely execute arbitrary code on a user’s PC. That vulnerability was discovered by Edward Torkington at NGS Secure, who said he was withholding full details of the bug until April 25, 2012, to give people time to patch their pcAnywhere installations.
Torkington’s bug, however, apparently isn’t the only vulnerability that researchers have recently unearthed. “I’ve been working on the remote preauth PCAnywhere vulnerability reported a few weeks ago and stumbled on a few other flaws during my research,” Norman said on his blog. “Not sure what I’m going to do with all of them.”
Concerns have been mounting over the security of the remote-access tool pcAnywhere since Symantec confirmed that the source code for the application had been stolen in 2006. But Symantec realized that the theft had occurred only after the hacking group Lords of Dharmaraja last month released what they said was a snippet of source code from Symantec’s Norton Utilities to Pastebin.
Since then, officials at Symantec said the hackers had attempted to extort the company, offering to not release the source code in exchange for $50,000. After Symantec refused to pay, the hackers shared the source code with Anonymous, which promptly released it via BitTorrent.
The worry is that with the source code now widely available, attackers could potentially identify zero-day attacks that would allow them to take control of pcAnywhere, thus gaining direct access to a PC.
Notably, Norman’s research was conducted without using the leaked source code. “If I had the source code, I could potentially get into legal trouble with Symantec,” he said via email. But thanks to the leak, “it is now effectively open source, which will likely result in many other vulnerabilities being released soon…by guys like me.”
Those worries intensified Friday, after an anonymous review of the pcAnywhere source code appeared on the Infosec Institute’s website, detailing that much of code base, at least as of version 12.0.2, dated from 2002. In addition, it said, the leaked code includes full source code for Symantec’s LiveUpdate on Windows, Macintosh, and Linux.
According to the review, the source code that leaked in 2006 also included source code and documentation for pcAnywhere versions 9.2 through 12.0.2, and the code was “heavily commented with dates for all changes.” According to those date stamps, “a surprising amount of the core code originates from what is now 10 years ago with only a few added changes, mainly to accommodate changes in Windows versions.”
Still, having a largely extant base isn’t surprising, according to the review. “This makes sense considering the huge expense and undertaking of periodically re-writing an existing product, especially when Windows strives so hard to keep backwards compatibility and does not warrant big changes to be made of the developer.”
But the release of the source code is a cause for concern. “For hackers, the sky is the limit as hackers now have all of the juicy details of the pcAnywhere product as well as accompanying source code for all related components. pcAnywhere is now pcEverywhere,” according to the review. “We now know how their LiveUpdate system works thanks to the included architecture plans and full source code, which is also used to update Symantec’s current antivirus products.
“The only hope for Symantec and pcAnywhere is that these days users typically do not run their home or office computers with the ports required for this product open to the Internet,” according to the review. “So attacks for this particular product across the Internet are minimal. However, hackers always seem to find a way.”
To protect company and customer data, we need to determine what makes it so vulnerable and appealing. We also need to understand how hackers operate, and what tools and processes they rely on. In our How (And Why) Attackers Choose Their Targets report, we explain how to ensure the best defense by thinking like an attacker and identifying the weakest link in your own corporate data chain. (Free registration required.)