pcAnywhere Leaked Source Code – An Anonymous Review
[highlight color=yellow]DISCLAIMER: InfoSec Institute received an anonymous submission concerning the leaked pcAnywhere source code. The article is published here, we have redacted any code snippets or other pieces of source code that were included in the original article. Otherwise it has been left unedited/unaltered. [/highlight]
The pcAnywhere source code leaked out onto the internet late January 2012 includes 47,021 files weighing in at 1.3GB. The October 2006 snapshot provides an insight into Symantec development practices, polices, and of course the code itself. Below is a brief assessment of the source code and what it all means for computer users, hackers, and Symantec.
The leaked files are a single snapshot backup of Symantec’s working developer directory named depot. In this directory we have not only identified version releases of code but also working trunks for various Symantec software components. The actual pcAnywhere 12.0.2 source for PC weighs in at 171MB in size and is written in C++ with Visual C++ .vcproj files alongside. Also included is the full source to LiveUpdate and all LiveUpdate related Windows services as well as the source for pcAnywhere for Mac OS X and Linux. Various bits of source code and documentation are included for pcAnywhere versions 9.2 up through 12.0.2.
.vcproj file – Visual C++ 7.0 was used to build pcAnywhere 12.0.2
Symantec’s code is heavily commented with dates for all changes. Readme files are present for each and every software component, many readme files acting as a change log complete with versions and dates. A surprising amount of the core code originates from what is now 10 years ago with only a few added changes, mainly to accommodate changes in Windows versions. Many individual .exe or other files include an accompanying Word document with a detailed developer description of how it functions.
Example of commented change log from bottom of a C++ source file
The oldest files are source files that go back to 2000, with a bulk of files originating in 2002, commented with changes to the present release (12.0.2). This if anything shows that Symantec uses the same older code base for many years for a product. This makes sense considering the huge expense and undertaking of periodically re-writing an existing product, especially when Windows strives so hard to keep backwards compatibility and does not warrant big changes to be made of the developer.
A sample of some of the oldest C++ files with time stamps of file creation
-r–r–r– 1 user user 1983 May 4 2003 ./pcanywhere/depot/pcAnywhere/pca_LiveState_2.0/Source/pcaUtilities/BHFReader/MainFrm.cpp
-r–r–r– 1 user user 1983 May 4 2003 ./pcanywhere/depot/pcAnywhere/r12.0-M1/pca32/Source/pcaUtilities/BHFReader/MainFrm.cpp
-r–r–r– 1 user user 7666 Dec 13 2002 ./pcanywhere/depot/pcAnywhere/r12.0-M1/pca32/Source/Install/iscustom/StatusMsg.cpp
Also to note, source code for various installers are present, including a ‘silent’ installer that is completely undetectable by the end user. This could easily be further modified as desired to silently install your own fork of pcAnywhere.
Brief look at an example files
awrem32.exe – This file is a stand-alone executable that is used to start a pcAnywhere remote client. It can be called from the command line or the user interface. The complete source for this (in C++) reflects a ‘Copyright 1992 Symantec Corporation’ at the top, with dated comments from programmers from 1995 through 2001. It is unchanged from 2001 to the 2006 release (12.0.2) like much of the source code.
Source files are very elaborately commented, which illustrates the very good developer policy in use by Symantec. Almost every line is commented with descriptions of what is occurring.
Another great find in this leak are detailed documents regarding software design plans for pcAnywhere. These are fascinating as they relay the development and design process that occurs at Symantec. Version 12.0.2 involved 32 detailed documents outlining every aspect of Symantec’s policies and processes.
pcAnywhere version 12.5 is code named ‘Tonga’ according to these included documents. (Note: current offered version of pcAnywhere from Symantec is 12.5) For Version 12.5 the documents outlined the problems of writing administrator-access level software to work with the new Windows UAC.
12.5 Tonga staffing schedules including estimated number of working hours are included in a development plan, estimating 4448 work hours and eight developers including four outsourced from MindTree Consulting to complete the job. This is noted as the same estimate as the previous release (12.0.2). No code is present for 12.5, only design and development plans.
Other documents of interest include a 19 page Symantec Programming Style Guide for C++, instructions for posting a LiveUpdate patch, documents explaining the LiveUpdate architecture, a 37 page document listing ‘Partial’ Registry Items for pcAnywhere, and a 12-sheet Excel document listing all pcAnywhere installed file locations for versions 9.2 through 12.0.2. Version 12.0.2 includes 250 rows of installed file locations.
The first apparent risk is that one can now detect flaws in the code itself for exploit. Symantec has presumably fixed any pending security flaws they were aware of by releasing a quick patch after the source code leaked out. The other risk is that one could potentially (though a monumental task) use the source to make a silently installed remote desktop app to gain control over a PC. This may be more tricky to do with modern day NAT routers in that UPnP was not part of pcAnywhere until 12.5.
What is the future of pcAnywhere? If anything this code release is embarrasing for a security company, even if it was a third party from which this was stolen. Symantec attempted to downplay the leak of the code advising it was old code and not in use. However clearly core functionality in the product has and continues to exist today from the same code used for years. From the included design plans for 12.5 (current shipping version) there were no plans for an entire code base rewrite, and developer resources were kept to the same budgeted man hours for the previous release. 12.5 is simply a continuation of this same code base.
For hackers, the sky is the limit as hackers now have all of the juicy details of the pcAnywhere product as well as accompanying source code for all related components. pcAnywhere is now pcEverywhere. We now know how their LiveUpdate system works thanks to the included architecture plans and full source code, which is also used to update Symantec’s current anti-virus products. Any exploits in the code are now visible by all. The only hope for Symantec and pcAnywhere is that these days users typically do not run their home or office computers with the ports required for this product open to the internet. So attacks for this particular product across the internet are minimal. However, hackers always seem to find a way.
pcAnywhere was originally a product for the dial-up internet days which has become obsolete by other products that provide more secure ways of remote connections. If you are a company or user with pcAnywhere, uninstalling it is the only way to be safe that your computer is not under potential threat of undetected remote control and compromise. If you need help uninstalling, the leak includes a document for that. 🙂