Warning: VCasel security hole.

[xdeath911 () YAHOO COM (bob mare)]

Blue Collar Hackers Union
http://bcu.n3.net

-Security Bulletin-
1/17/00
From: xDeath
To: ALL
In Reference to: VCasel 3.0
Platform: Win95

-----B A C K G R O U N D  I N F O-----

   Vcasel (Visual Casel) is a program released by
Computer Power Solutions of Illinois which is
apparently intended as some sort of addon to Novell
Netware
3.X and above.  What VCasel is supposed to do, or is
advertised to do is provide a nice GUI for network
admins to secure and maintain a LAN with ease and
provide each user with a customized(unalterable)
desktop. The program boasts that with VCasel there is
no longer a need for "access control, policy files or
profiles." This program also says that it can prevent
users from executing files not specified by the Admin.
 It also does more, but I am entirely to lazy to
list the rest of its features.

-----P R O B L E M-----

   Vcasel uses fails to successfully limit or prevent
the execution of "un-approved files."

-----E X P L A I N A T I O N-----

   The program does succeed in limiting the names of
the files executed, but there is no path verification.
 For example, if an admin said user JohnDoe
could execute write.exe, the admin isn't specifying
c:\windows\write.exe, just the binary write.exe.  Now
JohnDoe decides that he is getting bored on the
network so he goes off and finds his favorite game
online(pong.exe and downloads it to his home directory
on H: (total different drive and path then write.exe).
He firsts tries to execute pong.exe from his available
drives folder and sees an "Unauthorized Executable"
message window pop up on his screen.  Next John
decides to re-download the game, but this time name it
something different, he chooses to name it(when
prompted by client) write.exe, but he saves it to his
home directory.  He once again tried to run it from
his available drives folder and w00p! it started up.
Now sure, one person running a game of some sort isn't
that
big of a deal, but think of the possibilities.  What
if he renamed another, far more malicious file
write.exe?  I have tested several executables with
this hole
and was able to load a login/password logger from a
normal user account that would start on boot-up.
Also, from a normal user I was able to view and change
files/directories/drives that were specified as hidden
and "unaccessible" thru VCasel by simply copying and
renaming File Manager.  The ramifications are
practically endless.

-----F I X-----

No fix/patch is presently available from what I know.

--------------------------------------------------------------------------------------------------------------

xDeath () thehelm com
http://bcu.n3.net

__________________________________________________
Do You Yahoo!?
Talk to your friends online with Yahoo! Messenger.
http://im.yahoo.com