Details
Secure Network Operations analysts notified Symantec of an issue they discovered in the functionality of the help interface in the Symantec pcAnywhere GUI. By effectively manipulating the help interface, Secure Network Operations analysts were able to demonstrate that a non-privileged user could gain privileged access to files or functionality on the local system with Symantec pcAnywhere running in service-mode.
Symantec pcAnywhere can be run in various configurations. It can run either in "application-mode" or it can be configured in "service-mode" to launch as a service whenever the host boots up. Symantec pcAnywhere is ONLY vulnerable to this issue when running in service-mode. Symantec pcAnywhere is NOT vulnerable in application-mode.
In order for Secure Network Operations analysts to exploit this vulnerability, they configured Symantec pcAnywhere to run as a service so it would launch on system start-up. In this configuration, a non-privileged user, provided they have user access to that specific host, could log onto the system where Symantec pcAnywhere is running.
While the non-privileged user cannot access the remote functionality of Symantec pcAnywhere without additional authorization/authentication, the non-privileged user can still access the help file from the Symantec pcAnywhere GUI.
The Symantec pcAnywhere help functionality is implemented using an interface to the Windows operating system help function. This interface was made to provide the user with a common interface that the user understands, is use to, and is able to implement quickly and easily. However, there was a weakness in the way the interface was made that permits the Window help functionality to assume permissions from Symantec pcAnywhere. When run in service-mode Symantec pcAnywhere runs with SYSTEM privileges.
By effectively manipulating the help interface in the Symantec pcAnywhere GUI, the non-privileged user may gain the ability to search all system files, assume full permission for all directories and files on the host system, or even add themselves to the local administrative group.
The Common Vulnerabilities and Exposure (CVE) initiative has assigned the name CAN-2003-0936 to this issue.
This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)