December 6, 2016

Symantec Working with Unnamed Law Enforcement Agency

(LiveHacking.Com) – Following my blog post about Anonymous releasing the source code for pcAnywhere, Symantec has contacted us here at LiveHacking.com with further details of the events leading up to the uploading of the source code. Symantec are underlining the following things:

  1. Symantec did NOT offer a bribe to Anonymous. Anonymous tried to extort Symantec for money to withold posting of additional source code. (As a point of clarification – I didn’t say that Symantec offered a bribe and have never inferred it, the original blog post said that the hacker YamaTough asked for $50,000 not to release the source code).
  2. The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement.
  3. Once Symantec saw that it was a clear cut case of extortion, they contacted law enforcement and turned the investigation over to them. All subsequent communications were actually between Anonymous and law enforcement agents – not Symantec.

“The communications with the person(s) attempting to extort the payment from Symantec were part of the law enforcement investigation.  Given that the investigation is still ongoing, we are not going to disclose the law enforcement agencies involved,” said Cris Paden of Symantec in his email to us.

Anonymous Releases Source Code for pcAnywhere [Updated]

Update: Symantec has contacted us here at LiveHacking.com with the following correction: The e-mail string posted on Pastebin by Anonymous was actually between them and a fake e-mail address set up by law enforcement. For more details see Symantec Working with Unnamed Law Enforcement Agency

(LiveHacking.Com) – The hacking group Anonymous has tweeted that it has released the source code of Symantec’s pcAnywhere on The Pirate Bay. The release of the software seems to have come after a set of emails between Symantec a  law enforcement agency (masquerading as Symantec) and the hacker YamaTough. The hacker tried to exhort money from Symantec when he asked for $50,000 not to release the source code. According to the email exchange the negotaions ended when the hacker gave Symantec the law enforcement agency (masquerading as Symantec) a 10 minute utlimatum: “we give you 10 minutes to decide which way you go after that two of your codes fly to the moon PCAnywhere and Norton Antivirus.” To which Symantec the law enforcement agency (masquerading as Symantec) replied “We can’t make a decision in ten minutes.  We need more time.”

It seems that this then prompted the release of the source code. We spoke with a security expert who has downloaded the archive of the source code and his initial impression is that the release is genuine. According to our expert (who wishes to remain unnamed due to fears of possible reprisals by Symantec) the archive contains the following directries:


AccessServer
CE_Remote
CM
Development
InfoDev
Java_Remote
LU_Patches
Mac_ThinHost
RAPS
SCA
Shared
Tivoli
Unix_Host
pcA-NG
pcAnywhereExpress
pca32
pca_LiveState_2.0
pca_ONiCommand_3.0
r12.0-M1

The Development directory contains documentation including a document called “Programming Style Guide” which is marked as “Symantec Confidential” and pertains to “pcAnywhere / Decomposer / Packager”. The “pca32” project seems to contain source code with valid Microsoft Visual Studio project files.

According to ComputerWorld there is no official word yet from Symantec as “it happened so recently that we’re still in the process of analyzing and won’t be able to confirm until the morning.”

Symantec Releases pcAnywhere Patch and Declares it Safe to Use

(LiveHacking.Com) – Symantec has released a patch that, according to them, eliminates all known vulnerabilities affecting customers using pcAnywhere 12.0 and pcAnywhere 12.1. This is the latest step (but not the last) in an on going saga about source code stolen from Symantec in 2006. Only last week  updated Symantec  its “Claims by Anonymous about Symantec Source Code” page to notify its customers that “all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk” and to “recommends that customers only use pcAnywhere for business critical purposes.” Now with the release of the latest patch it has dropped this warning and now advise customers to upgrade to pcAnywhere 12.5 and apply all relevant patches.

Hotfixes are now available for the following Symantec products:

  • Symantec pcAnywhere 12.5.x
  • Symantec pcAnywhere 12.0.x, 12.1.x
  • Symantec pcAnywhere Solution (shipped with Altiris IT Management Suite 7.x) 12.5.x, 12.6.x
  • Symantec pcAnywhere Solution (shipped with Altiris Client Management Suite 7.x) 12.5.x, 12.6.x
  • Remote pcAnywhere Solution s(hipped with Altiris Deployment Solution 7.1) 12.5.x, 12.6.x

According to the security advisory these hotfixes address the  local file tampering elevation of privilege vulnerability and the remote code execution vulnerability previously fixed only in pcAnywhere 12.5. However since pcAnywhere allows for direct PC to PC communication, the theft of the source code has made the encodings and encryption elements within pcAnywhere vulnerable. There is no word yet from Symantec  about any changes they have made to these encoding to protect users. This is mostly likely why Symnatec keep repeating the mantra of “follow general security best practices” which in short means blocking the pcAnywhere assigned ports (5631, 5632) on Internet facing network connections and disabling or removing Access Server and use remote sessions via secure VPN tunnels.

 

Symantec Says Only Use pcAnywhere for Business Critical Purposes

(LiveHacking.Com) – In the on going saga about source code stolen from Symantec in 2006, the company has now updated its “Claims by Anonymous about Symantec Source Code” to notify its customers that “all pcAnywhere 12.0, 12.1 and 12.5 customers are at increased risk” and to “recommends that customers only use pcAnywhere for business critical purposes.”

It has also published a White Paper discussing the security implications where it says “Malicious users with access to the source code have an
increased ability to identify vulnerabilities and build new exploits.” Since pcAnywhere allows for direct PC to PC communication, the theft of the source code has made the encoding and encryption elements within pcAnywhere vulnerable. This makes it possible for a hacker to launch a successful man-in-the-middle attack (depending on configuration and use). If a man-in-the-middle attack should occur, the malicious user could steal session data or credentials.

The white paper also outlines some pcAnywhere Security Best Practices including blocking the pcAnywhere assigned ports (5631, 5632) on Internet facing network connections and disabling or removing Access Server and use remote sessions via secure VPN tunnels.

Symantec Releases Hotfix for pcAnywhere

(LiveHacking.Com) – Symantec has released a hotfix for its pcAnywhere product to address multiple vulnerabilities. According to Symantec, pcAnywhere is susceptible to local file tampering elevation of privilege exploits and remote code execution exploits and as a results it is possible to execute arbitrary code on a targeted system as “System”.

Affected Products:

  • Symantec pcAnywhere 12.5.x
  • IT Management Suite 7.0 pcAnywhere Solution 12.5.x
  • IT Management Suite 7.1 pcAnywhere Solution 12.6.x

The remote code execution is the result of pcAnywhere not properly validating/filtering external data input during login and authentication via port 5631/TCP. Successful exploitation would require either gaining unauthorized network access or enticing an authorized network user to run malicious code against a targeted system. Results could be a crash of the application or possibly successful arbitrary code execution in the context of the application on the targeted system.

The local file tampering vulnerability exists because some of the pcAnywhere files installed as writable by everyone and so open tampering. A local user can potentially overwrite these files with code of their choice in an attempt to leverage elevated privileges.

Symantec is not aware of any customers impacted by this issue, or of any attempts to exploit it.