cbcvebase.
CVE-2011-3478
published 2012-01-25

CVE-2011-3478: The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x)…

PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
39.31%
98.4th percentile
The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a crafted session on TCP port 5631.

Affected

4 ranges
VendorProductVersion rangeFixed in
symantecpcanywhere
symantecpcanywhere
symantecpcanywhere
symantecpcanywhere

Detection & IOCsextracted from sources · hover to see the quote

  • Monitor for unauthenticated TCP connections to port 5631 (pcAnywhere) followed by the 4-byte init sequence \x00\x00\x00\x00 and handshake \x0d\x06\xfe, which is the exploit's session setup pattern.
  • Alert on oversized login/password fields sent to TCP port 5631; the exploit sends a username of 100–175 bytes followed by a password buffer of ~3500 bytes, far exceeding normal authentication data sizes.
  • The exploit targets awhost32.exe modules with no ASLR, SafeSEH, or NXCompat protections; detection of shellcode execution in this process context (NT AUTHORITY\SYSTEM) should be prioritised.
  • Bad character for this exploit is only \x00; any large binary payload on TCP 5631 lacking null bytes in the password field should be treated as suspicious.
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.