COMMAND
Vcasel (Visual Casel)
SYSTEMS AFFECTED
VCasel 3.0 (Win95)
PROBLEM
Vcasel (Visual Casel) is a program released by Computer Power
Solutions of Illinois which is apparently intended as some sort
of addon to Novell Netware 3.X and above. What VCasel is supposed
to do, or is advertised to do is provide a nice GUI for network
admins to secure and maintain a LAN with ease and provide each
user with a customized(unalterable) desktop. The program boasts
that with VCasel there is no longer a need for "access control,
policy files or profiles." This program also says that it can
prevent users from executing files not specified by the Admin.
It also does more, but I am entirely to lazy to list the rest of
its features. xDeath found this vulnerability.
Vcasel uses fails to successfully limit or prevent the execution
of "un-approved files." The program does succeed in limiting the
names of the files executed, but there is no path verification.
For example, if an admin said user JohnDoe could execute
write.exe, the admin isn't specifying c:\windows\write.exe, just
the binary write.exe. Now JohnDoe decides that he is getting
bored on the network so he goes off and finds his favorite game
online(pong.exe and downloads it to his home directory on H:
(total different drive and path then write.exe). He firsts tries
to execute pong.exe from his available drives folder and sees an
"Unauthorized Executable" message window pop up on his screen.
Next John decides to re-download the game, but this time name it
something different, he chooses to name it(when prompted by
client) write.exe, but he saves it to his home directory. He
once again tried to run it from his available drives folder and
w00p! it started up. Now sure, one person running a game of
some sort isn't that big of a deal, but think of the
possibilities. What if he renamed another, far more malicious
file write.exe? xDeath tested several executables with this hole
and was able to load a login/password logger from a normal user
account that would start on boot-up. Also, from a normal user he
was able to view and change files/directories/drives that were
specified as hidden and "unaccessible" thru VCasel by simply
copying and renaming File Manager. The ramifications are
practically endless.
SOLUTION
No fix/patch is presently available.