COMMAND

    PC Anywhere

SYSTEMS AFFECTED

    Win NT with PC Anywhere 8.0 (others)

PROBLEM

    Cain  Tasam  reported  following.   If  you  establish  a   telnet
    connection with  port 5631,  then the  pcanywhere server  crashes.
    This was tested on a fully patched NT 4.0 server.  Numerous people
    have confirmed that repeated  attempts to telnet cause  the crash.
    They have  all said  that nothing  happened after  a single telnet
    session, it  only crashes  after 2nd  or sometimes  the 3rd telnet
    session.

    Another person noted that a  Unix Strobe followed by a  connect on
    port 5631 caused it to crash.   When attempting to telnet to  5631
    the PCA host service would respond with:

        {
        Press enter{

    or something along those  lines.  So it  seems that if you  do not
    allow telnet sessions from outside  at the firewall you may  still
    have a problem.   The client (remote  control) end could  not find
    the  effected  machine  by  means  of  "scanning  the  network for
    PCAnywhere Hosts" or when attempting to connect to the machine  by
    IP address.   The host machine  gave no indication  it had failed.
    It appeared the service was still "waiting for a connection."   To
    re-establish service, the PCA host service had to be restarted.

    Mr. Jay come up with some interesting notes on the German  Version
    of  PC  Anywhere  (others?).   To  make  it short, a permanent DoS
    failed with  a Win98  attacker's machine  though generating  quite
    some  load  to  the  host's  486  CPU.   Further difference: After
    pressing  'Enter'  (unlike  in  the  NT4.0 attack, where you loose
    connection) you are prompted for a Username and password.... Could
    this be  due to  different possible  Host Type  options in  Telnet
    (VT 52 on the Win98 vs. VT 100 on NT 4 .0)?

SOLUTION

    Ralph Davis did confirm that  they too were experiencing the  same
    problem and said that  Symantec claimed it was  an incompatibility
    with RAS. According  to him, Symantec  said to remove  RAS.  Ralph
    did, and the problem seemed to be solved, although not  ideally!!!
    After some time, ideally solution was  found.  They do have a  fix
    for this problem, it's a patched aw32tcp.dll, it just hasn't  made
    it to their website yet.