Vulnerability

    pcAnywhere

Affected

    pcAnywhere

Description

    Vacuum found following.  While performing a routine network audit,
    a TCP SYN scan caused every pcAnywhere Host service on the network
    to stop  responding.   The following  versions were  tested, other
    versions may be vulnerable as well:

        - 9.0.0 Build 133
        - 9.0.1 Build 143
        - 9.2.0 Build 239
        - 8.0.2 Build 220

    Target Operating systems tested:

        - Windows NT Server Service Pack 6a -- Running 9.0.0 and 9.2.0 Versions
        - Windows NT Worksation Service Pack 5 Running 9.2.0 Version
        - Windows NT Server Service Pack 4  -- Running 8.0.2 Version

    by using  nmap version  2.30BETA21.   Information gathering  (does
    not cause the crash):

        nmap -sT -sU <target>

    Servers running pcAnywhere version 8.x show ports

        - TCP 5631 and TCP 65301 open
        - UDP 5632 and UDP 22    open

    Servers running pcAnywhere version 9.x show ports

        TCP 5631 and UDP 5632  open

    nmap -sS <target> will cause  the pcAnywhere Host Service to  stop
    responding until the service is stopped and restarted.

    Patrick  Turcotte  did  some  testing.   nmap  v2.51  installed on
    Solaris 7  host, on  the same  LAN as  the host,  as the  scanning
    platform (network environment: switched 100 Mbps LAN).

    - NT 4.0 Workstation SP1  host, pcAnywhere 9.0.0 build 133,  Win98
      SE client, pcAnywhere  9.0.0 build 133:  nmap -sT -sU,  nmap -sS
      and nmap -sT all cause pcAnywhere host app to stop answering  to
      connection requests

    - NT 4.0 Workstation SP5  host, pcAnywhere 9.0.0 build 133,  Win98
      SE  client,  pcAnywhere  9.0.0   build  133:  nmap  -sT   causes
      pcAnywhere host app to stop answering to connection requests

    - NT 4.0 Workstation SP5  host, pcAnywhere 9.2.0 build 239,  Win98
      SE  client,  pcAnywhere  9.2.0   build  239:  nmap  -sT   causes
      pcAnywhere host app to stop answering to connection requests

    All tests were done both  in unencrypted mode and with  pcAnywhere
    encryption,  with  no  difference   in  the  results.   A   simple
    cancelling and  restarting of  the pcAnywhere  host service  fixed
    the  crash,  but  this  kind  of  defeats  the  purpose  of remote
    administration, doesn't it?   And yes, where  vacuum needed a  SYN
    scan, a simple TCP scan  was necessary here, for obscure  reasons.
    Some  tests  were  also  done  with other portscanners, but didn't
    produce the same effect.

Solution

    Nothing yet.