Blue Collar Hackers Union http://bcu.n3.net -Security Bulletin- 1/17/00 From: xDeath To: ALL In Reference to: VCasel 3.0 Platform: Win95 -----B A C K G R O U N D I N F O----- Vcasel (Visual Casel) is a program released by Computer Power Solutions of Illinois which is apparently intended as some sort of addon to Novell Netware 3.X and above. What VCasel is supposed to do, or is advertised to do is provide a nice GUI for network admins to secure and maintain a LAN with ease and provide each user with a customized(unalterable) desktop. The program boasts that with VCasel there is no longer a need for "access control, policy files or profiles." This program also says that it can prevent users from executing files not specified by the Admin. It also does more, but I am entirely to lazy to list the rest of its features. -----P R O B L E M----- Vcasel uses fails to successfully limit or prevent the execution of "un-approved files." -----E X P L A I N A T I O N----- The program does succeed in limiting the names of the files executed, but there is no path verification. For example, if an admin said user JohnDoe could execute write.exe, the admin isn't specifying c:\windows\write.exe, just the binary write.exe. Now JohnDoe decides that he is getting bored on the network so he goes off and finds his favorite game online(pong.exe and downloads it to his home directory on H: (total different drive and path then write.exe). He firsts tries to execute pong.exe from his available drives folder and sees an "Unauthorized Executable" message window pop up on his screen. Next John decides to re-download the game, but this time name it something different, he chooses to name it(when prompted by client) write.exe, but he saves it to his home directory. He once again tried to run it from his available drives folder and w00p! it started up. Now sure, one person running a game of some sort isn't that big of a deal, but think of the possibilities. What if he renamed another, far more malicious file write.exe? I have tested several executables with this hole and was able to load a login/password logger from a normal user account that would start on boot-up. Also, from a normal user I was able to view and change files/directories/drives that were specified as hidden and "unaccessible" thru VCasel by simply copying and renaming File Manager. The ramifications are practically endless. -----F I X----- No fix/patch is presently available from what I know. -------------------------------------------------------------------------------------------------------------- xDeathat_private http://bcu.n3.net __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:28:53 PDT