pcAnywhere Leaked Source Code - An Anonymous Review
[highlight color=yellow]DISCLAIMER: InfoSec Institute received an anonymous submission concerning the leaked pcAnywhere source code. The article is published here, we have redacted any code snippets or other pieces of source code that were included in the original article. Otherwise it has been left unedited/unaltered. [/highlight]
The pcAnywhere source code leaked out onto the internet late January 2012 includes 47,021 files weighing in at 1.3GB. The October 2006 snapshot provides an insight into Symantec development practices, polices, and of course the code itself. Below is a brief assessment of the source code and what it all means for computer users, hackers, and Symantec.
What should you learn next?
What should you learn next?
The leaked files are a single snapshot backup of Symantec's working developer directory named depot. In this directory we have not only identified version releases of code but also working trunks for various Symantec software components. The actual pcAnywhere 12.0.2 source for PC weighs in at 171MB in size and is written in C++ with Visual C++ .vcproj files alongside. Also included is the full source to LiveUpdate and all LiveUpdate related Windows services as well as the source for pcAnywhere for Mac OS X and Linux. Various bits of source code and documentation are included for pcAnywhere versions 9.2 up through 12.0.2.
.vcproj file - Visual C++ 7.0 was used to build pcAnywhere 12.0.2
[highlight color=yellow][REDACTED][/highlight]
Symantec's code is heavily commented with dates for all changes. Readme files are present for each and every software component, many readme files acting as a change log complete with versions and dates. A surprising amount of the core code originates from what is now 10 years ago with only a few added changes, mainly to accommodate changes in Windows versions. Many individual .exe or other files include an accompanying Word document with a detailed developer description of how it functions.
Example of commented change log from bottom of a C++ source file
[highlight color=yellow][REDACTED][/highlight]
The oldest files are source files that go back to 2000, with a bulk of files originating in 2002, commented with changes to the present release (12.0.2). This if anything shows that Symantec uses the same older code base for many years for a product. This makes sense considering the huge expense and undertaking of periodically re-writing an existing product, especially when Windows strives so hard to keep backwards compatibility and does not warrant big changes to be made of the developer.
A sample of some of the oldest C++ files with time stamps of file creation
-r--r--r-- 1 user user 1983 May 4 2003 ./pcanywhere/depot/pcAnywhere/pca_LiveState_2.0/Source/pcaUtilities/BHFReader/MainFrm.cpp
-r--r--r-- 1 user user 1983 May 4 2003 ./pcanywhere/depot/pcAnywhere/r12.0-M1/pca32/Source/pcaUtilities/BHFReader/MainFrm.cpp
-r--r--r-- 1 user user 7666 Dec 13 2002 ./pcanywhere/depot/pcAnywhere/r12.0-M1/pca32/Source/Install/iscustom/StatusMsg.cpp
[highlight color=yellow][REDACTED][/highlight]
Also to note, source code for various installers are present, including a 'silent' installer that is completely undetectable by the end user. This could easily be further modified as desired to silently install your own fork of pcAnywhere.
Brief look at an example files
awrem32.exe - This file is a stand-alone executable that is used to start a pcAnywhere remote client. It can be called from the command line or the user interface. The complete source for this (in C++) reflects a 'Copyright 1992 Symantec Corporation' at the top, with dated comments from programmers from 1995 through 2001. It is unchanged from 2001 to the 2006 release (12.0.2) like much of the source code.
[highlight color=yellow][REDACTED][/highlight]
Source files are very elaborately commented, which illustrates the very good developer policy in use by Symantec. Almost every line is commented with descriptions of what is occurring.
[highlight color=yellow][REDACTED][/highlight]
Design plans
Another great find in this leak are detailed documents regarding software design plans for pcAnywhere. These are fascinating as they relay the development and design process that occurs at Symantec. Version 12.0.2 involved 32 detailed documents outlining every aspect of Symantec's policies and processes.
pcAnywhere version 12.5 is code named 'Tonga' according to these included documents. (Note: current offered version of pcAnywhere from Symantec is 12.5) For Version 12.5 the documents outlined the problems of writing administrator-access level software to work with the new Windows UAC.
12.5 Tonga staffing schedules including estimated number of working hours are included in a development plan, estimating 4448 work hours and eight developers including four outsourced from MindTree Consulting to complete the job. This is noted as the same estimate as the previous release (12.0.2). No code is present for 12.5, only design and development plans.
Other documents of interest include a 19 page Symantec Programming Style Guide for C++, instructions for posting a LiveUpdate patch, documents explaining the LiveUpdate architecture, a 37 page document listing 'Partial' Registry Items for pcAnywhere, and a 12-sheet Excel document listing all pcAnywhere installed file locations for versions 9.2 through 12.0.2. Version 12.0.2 includes 250 rows of installed file locations.
Risks
The first apparent risk is that one can now detect flaws in the code itself for exploit. Symantec has presumably fixed any pending security flaws they were aware of by releasing a quick patch after the source code leaked out. The other risk is that one could potentially (though a monumental task) use the source to make a silently installed remote desktop app to gain control over a PC. This may be more tricky to do with modern day NAT routers in that UPnP was not part of pcAnywhere until 12.5.
Conclusions
What is the future of pcAnywhere? If anything this code release is embarrasing for a security company, even if it was a third party from which this was stolen. Symantec attempted to downplay the leak of the code advising it was old code and not in use. However clearly core functionality in the product has and continues to exist today from the same code used for years. From the included design plans for 12.5 (current shipping version) there were no plans for an entire code base rewrite, and developer resources were kept to the same budgeted man hours for the previous release. 12.5 is simply a continuation of this same code base.
For hackers, the sky is the limit as hackers now have all of the juicy details of the pcAnywhere product as well as accompanying source code for all related components. pcAnywhere is now pcEverywhere. We now know how their LiveUpdate system works thanks to the included architecture plans and full source code, which is also used to update Symantec's current anti-virus products. Any exploits in the code are now visible by all. The only hope for Symantec and pcAnywhere is that these days users typically do not run their home or office computers with the ports required for this product open to the internet. So attacks for this particular product across the internet are minimal. However, hackers always seem to find a way.
What should you learn next?
What should you learn next?
pcAnywhere was originally a product for the dial-up internet days which has become obsolete by other products that provide more secure ways of remote connections. If you are a company or user with pcAnywhere, uninstalling it is the only way to be safe that your computer is not under potential threat of undetected remote control and compromise. If you need help uninstalling, the leak includes a document for that. :)
Enroll in an Ethical Hacking Boot Camp and earn two of the industry’s most respected certifications — guaranteed.
- CEH exam voucher
- PenTest+ exam voucher
- Exam Pass Guarantee
- Live online hacking training
In this Series
- pcAnywhere Leaked Source Code - An Anonymous Review
- The rise of ethical hacking: Protecting businesses in 2024
- How to crack a password: Demo and video walkthrough
- Inside Equifax's massive breach: Demo of the exploit
- Wi-Fi password hack: WPA and WPA2 examples and video walkthrough
- How to hack mobile communications via Unisoc baseband vulnerability
- How to build a hook syscall detector
- Top tools for password-spraying attacks in active directory networks
- NPK: Free tool to crack password hashes with AWS
- Tutorial: How to exfiltrate or execute files in compromised machines with DNS
- Top 19 tools for hardware hacking with Kali Linux
- 20 popular wireless hacking tools [updated 2021]
- 13 popular wireless hacking tools [updated 2021]
- Man-in-the-middle attack: Real-life example and video walkthrough [Updated 2021]
- Decrypting SSL/TLS traffic with Wireshark [updated 2021]
- Dumping a complete database using SQL injection [updated 2021]
- Hacking clients with WPAD (web proxy auto-discovery) protocol [updated 2021]
- Hacking communities in the deep web [updated 2021]
- How to hack Android devices using the StageFright vulnerability [updated 2021]
- Hashcat tutorial for beginners [updated 2021]
- How to hack a phone charger
- What is a side-channel attack?
- Copy-paste compromises
- Hacking Microsoft teams vulnerabilities: A step-by-step guide
- PDF file format: Basic structure [updated 2020]
- 10 most popular password cracking tools [updated 2020]
- Popular tools for brute-force attacks [updated for 2020]
- Top 7 cybersecurity books for ethical hackers in 2020
- How quickly can hackers find exposed data online? Faster than you think …
- Hacking the Tor network: Follow up [updated 2020]
- Podcast/webinar recap: What's new in ethical hacking?
- Ethical hacking: TCP/IP for hackers
- Ethical hacking: SNMP recon
- How hackers check to see if your website is hackable
- Ethical hacking: Stealthy network recon techniques
- Getting started in Red Teaming
- Ethical hacking: IoT hacking tools
- Ethical hacking: BYOD vulnerabilities
- Ethical hacking: Wireless hacking with Kismet
- Ethical hacking: How to hack a web server
- Ethical hacking: Top 6 techniques for attacking two-factor authentication
- Ethical hacking: Port interrogation tools and techniques
- Ethical hacking: Top 10 browser extensions for hacking
- Ethical hacking: Social engineering basics
- Ethical hacking: Breaking windows passwords
- Ethical hacking: Basic malware analysis tools
- Ethical hacking: How to crack long passwords
- Ethical hacking: Passive information gathering with Maltego
- Ethical hacking: Log tampering 101
- Ethical hacking: What is vulnerability identification?
- Ethical hacking: Breaking cryptography (for hackers)
Get certified and advance your career
- Exam Pass Guarantee
- Live instruction
- CompTIA, ISACA, (ISC)², Cisco, Microsoft and more!
