Code Release: pcAnywhere Woes Continue

Thursday, February 23, 2012 @ 03:02 PM gHale

It was only a matter of time. Code is now out there that attackers could use to crash fully patched versions of pcAnywhere on any Windows PC, without first having to authenticate to the PC.

The exploit details came out late last week in a Pastebin post from Johnathan Norman, director of security research at Alert Logic. Called the “PCAnywhere Nuke,” the Python code can be used to create a denial of service (DoS) by crashing “the ashost32 service,” he said in the post. “It’ll be respawned so if you want to be a real pain you’ll need to loop this … my initial impressions are that controlling execution will be a pain.” He said the exploit works even against the most recent, fully patched version of pcAnywhere (version 12.5.0 build 463 and earlier).

RELATED STORIES
Stolen Code Held for Ransom
Symantec: pcAnywhere Now Safe
Symantec: Turn Off pcAnywhere
Symantec Hit with Another Flaw

“Symantec is aware of the posting and is investigating the claims,” said Symantec spokeswoman Katherine James. “We have no additional information to provide at this time.”

Symantec last month said users should disable pcAnywhere unless absolutely required, until the company had an opportunity to release a patch (which it did last month) to address a critical vulnerability that would allow attackers to remotely execute arbitrary code on a user’s PC. That vulnerability came from Edward Torkington at NGS Secure, who said he was withholding full details of the bug until April 25, 2012, to give people time to patch their pcAnywhere installations.

Torkington’s bug, however, apparently isn’t the only vulnerability that researchers have recently unearthed. “I’ve been working on the remote preauth PCAnywhere vulnerability reported a few weeks ago and stumbled on a few other flaws during my research,” Norman said on his blog. “Not sure what I’m going to do with all of them.”

Concerns have been mounting over the security of the remote-access tool pcAnywhere since Symantec confirmed the 2006 theft of source code for the application. But Symantec realized the theft had occurred only after the hacking group Lords of Dharmaraja last month released what they said was a snippet of source code from Symantec’s Norton Utilities.

Since then, officials at Symantec said the hackers had attempted to extort the company, offering to not release the source code in exchange for $50,000. After Symantec refused to pay, the hackers shared the source code with Anonymous, which promptly released it via BitTorrent.

The worry is with the source code now widely available, attackers could potentially identify zero-day attacks that would allow them to take control of pcAnywhere, thus gaining direct access to a PC.

Norman’s research did not use the leaked source code. “If I had the source code, I could potentially get into legal trouble with Symantec,” he said. But thanks to the leak, “it is now effectively open source, which will likely result in many other vulnerabilities being released soon … by guys like me.”



Leave a Reply

You must be logged in to post a comment.