Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!

TUCoPS :: Windows Net Apps :: bt1719.txt

PCAnywhere local SYSTEM exploit

Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Big thanks to Symantec for being so responsive.

Content-Type: text/plain;
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;

Secure Network Operations, Inc.   
Strategic Reconnaissance Team     
Team Lead Contact                 

Our Mission:
Secure Network Operations offers expertise in Networking, Intrusion 
Detection Systems (IDS), Software Security Validation, and 
Corporate/Private Network Security. Our mission is to facilitate a 
secure and reliable Internet and inter-enterprise communications 
infrastructure through the products and services we offer. 

To learn more about our company, products and services or to request a 
demo of ANVIL FCS please visit our site at, or 
call us at: 978-263-3829

Quick Summary:
Advisory Number         : SRT2003-11-13-0218
Product                 : Symantec PCAnywhere
Version                 : 10.x and 11.x
Vendor                  :
Class                   : Local
Criticality             : High (to PCAnywhere users)
Operating System(s)     : Win32

The full technical details of this vulnerability can be found at: under the research section. 

Basic Explanation
High Level Description  : PCAnywhere allows local users to become SYSTEM
What to do              : run LiveUpdate and apply latest patches. 

Basic Technical Details
Proof Of Concept Status : SNO has proof of concept. 

Low Level Description   : PCAnywhere is an industry-leading remote control
software that features remote management paired with file transfer capabilities.
PCAnywhere has the ability to help quickly resolve helpdesk and server support 

When PCAnywhere is started as a service or set to launch with windows an
attacker may be able to take SYSTEM rights via the help interface. AWHOST32.exe 
runs as the user SYSTEM while interacting with the local desktop on the machine 
that PCAnywhere is listening. Users have the ability to interact with AWHOST32
via an icon in the Windows systray. 

Brett Moore of pointed out a flaw in the Win32 help 
API which can be found at . A variation 
of this attack is present in both PCAnywhere 10 and 11. It is unknown how this
issue affects older versions of PCAnywhere since they are no longer supported

full details at

Vendor Status           : Symantec promptly attended to the issue and 
was very responsive during all phases of discovery / research and patching. 
Fixes are now available via LiveUpdate. 

Bugtraq URL             : To be assigned. CVE candidate CAN-2003-0936.
This advisory was released by Secure Network Operations,Inc. as a matter
of notification to help administrators protect their networks against
the described vulnerability. Exploit source code is no longer released
in our advisories but can be obtained under contract.. Contact our sales 
department at for further information on how to 
obtain proof of concept code.

Secure Network Operations, Inc. ||
"Embracing the future of technology, protecting you."



TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2015 AOH