COMMAND

    TermVision

SYSTEMS AFFECTED

    SCO TermVision Windows 95 client

PROBLEM

    JJ Gray  found following.   He downloaded  a trial  version of the
    SCO TermVision terminal emulation package for SCO Openserver 5 and
    Windows 95 from:

        http://www.sco.com/vision/products/termvision/

    This comes in two parts, the server based binaries and the Windows
    95 client, TermVision 2.1.   In addition to the terminal emulation
    you get 'UNIX Neighborhood'  which once supplied with  a hostname,
    username & password gives an explorer/X-Windows style interface to
    the  SCO  server.   In  the  default  configuration the hostnames,
    usernames & passwords are saved in a file:

        C:\Windows\Profiles\%username%\ApplicationData\SCO\Vision\Auth\%username%.vca

    (PC is  Windows 95,  NT4 server,  user profiles  ).   The data  is
    encrypted but, not being a cryptanalysist, it will take one a good
    15 minutes to discover the encryption is nothing more than a fixed
    string XOR.  If that user happens to use root access then you have
    the root password - thus a non privileged user with windows access
    can  gain  root  privs  on  the  UNIX  box,  whether  through UNIX
    Neighborhood, terminal emulation, a terminal itself, telnet etc.

    When adding a  host, the security  options can be  set to 'Prompt'
    where the password is  not saved.    Yes this is only  a potential
    security hole -  another on the  'Configuration' issue, but  it is
    not  obvious  that  this  vulnerability  exists.    The default is
    insecure and there is no 'obvious' information in the docs.

SOLUTION

    One should change the password mechanism for your host to  prompt.
    In a future release SCO intends to either change the operation  of
    the password mechanism or add an appropriate warning.