Bugtraq mailing list archives
Warning: VCasel security hole.
From: xdeath911 () YAHOO COM (bob mare)
Date: Tue, 18 Jan 2000 06:45:10 -0800
Blue Collar Hackers Union http://bcu.n3.net -Security Bulletin- 1/17/00 From: xDeath To: ALL In Reference to: VCasel 3.0 Platform: Win95 -----B A C K G R O U N D I N F O----- Vcasel (Visual Casel) is a program released by Computer Power Solutions of Illinois which is apparently intended as some sort of addon to Novell Netware 3.X and above. What VCasel is supposed to do, or is advertised to do is provide a nice GUI for network admins to secure and maintain a LAN with ease and provide each user with a customized(unalterable) desktop. The program boasts that with VCasel there is no longer a need for "access control, policy files or profiles." This program also says that it can prevent users from executing files not specified by the Admin. It also does more, but I am entirely to lazy to list the rest of its features. -----P R O B L E M----- Vcasel uses fails to successfully limit or prevent the execution of "un-approved files." -----E X P L A I N A T I O N----- The program does succeed in limiting the names of the files executed, but there is no path verification. For example, if an admin said user JohnDoe could execute write.exe, the admin isn't specifying c:\windows\write.exe, just the binary write.exe. Now JohnDoe decides that he is getting bored on the network so he goes off and finds his favorite game online(pong.exe and downloads it to his home directory on H: (total different drive and path then write.exe). He firsts tries to execute pong.exe from his available drives folder and sees an "Unauthorized Executable" message window pop up on his screen. Next John decides to re-download the game, but this time name it something different, he chooses to name it(when prompted by client) write.exe, but he saves it to his home directory. He once again tried to run it from his available drives folder and w00p! it started up. Now sure, one person running a game of some sort isn't that big of a deal, but think of the possibilities. What if he renamed another, far more malicious file write.exe? I have tested several executables with this hole and was able to load a login/password logger from a normal user account that would start on boot-up. Also, from a normal user I was able to view and change files/directories/drives that were specified as hidden and "unaccessible" thru VCasel by simply copying and renaming File Manager. The ramifications are practically endless. -----F I X----- No fix/patch is presently available from what I know. -------------------------------------------------------------------------------------------------------------- xDeath () thehelm com http://bcu.n3.net __________________________________________________ Do You Yahoo!? Talk to your friends online with Yahoo! Messenger. http://im.yahoo.com
Current thread:
- SRS Addendum, (continued)
- SRS Addendum Matt Conover (Jan 12)
- Re: IIS still revealing paths for web directories Georgi Guninski (Jan 13)
- Re: IIS still revealing paths for web directories Scott Buchanan (Jan 13)
- Re: IIS still revealing paths for web directories Taneli Huuskonen (Jan 15)
- Fwd: Crash identified in Notes, Domino, and MTA with Date Conversio ns Xander Teunissen (Jan 14)
- Re: IIS still revealing paths for web directories Norbert Luckhardt (Jan 15)
- usual iploggers miss some variable stealth scans vecna (Jan 17)
- Re: usual iploggers miss some variable stealth scans Simple Nomad (Jan 17)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 18)
- AW: usual iploggers miss some variable stealth scans Tobi (Jan 19)
- Warning: VCasel security hole. bob mare (Jan 18)
- Re: usual iploggers miss some variable stealth scans Alec Kosky (Jan 18)
- Re: usual iploggers miss some variable stealth scans Andrea Gho (Jan 20)
- Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x root (Jan 21)
- *BSD procfs vulnerability FEAR Advisories (Jan 21)
- Re: *BSD procfs vulnerability Theo de Raadt (Jan 23)
- stream.c/raped.c tests (just for stats) Vanja Hrustic (Jan 21)
- Microsoft Security Bulletin (MS00-004) Microsoft Product Security (Jan 21)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Vanja Hrustic (Jan 22)
- Re: Vulnerabilities in Checkpoint FW-1 version 3.x and maybe 4.x Markus Hofmann (Jan 22)
- Administrivia Elias Levy (Jan 18)