COMMAND

    Vcasel (Visual Casel)

SYSTEMS AFFECTED

    VCasel 3.0 (Win95)

PROBLEM

    Vcasel  (Visual  Casel)  is  a  program released by Computer Power
    Solutions of Illinois  which is apparently  intended as some  sort
    of addon to Novell Netware 3.X and above.  What VCasel is supposed
    to do, or is  advertised to do is  provide a nice GUI  for network
    admins to  secure and  maintain a  LAN with  ease and provide each
    user with a customized(unalterable)  desktop.  The program  boasts
    that with VCasel  there is no  longer a need  for "access control,
    policy files  or profiles."   This program  also says  that it can
    prevent users  from executing  files not  specified by  the Admin.
    It also does more, but I am  entirely to lazy to list the rest  of
    its features.  xDeath found this vulnerability.

    Vcasel uses fails to  successfully limit or prevent  the execution
    of "un-approved files."  The program does succeed in limiting  the
    names of the  files executed, but  there is no  path verification.
    For  example,  if  an  admin  said  user  JohnDoe  could   execute
    write.exe, the admin  isn't specifying c:\windows\write.exe,  just
    the binary  write.exe.   Now JohnDoe  decides that  he is  getting
    bored on the network  so he goes off  and finds his favorite  game
    online(pong.exe  and  downloads  it  to  his  home directory on H:
    (total different drive and path then write.exe).  He firsts  tries
    to execute pong.exe from his  available drives folder and sees  an
    "Unauthorized Executable"  message window  pop up  on his  screen.
    Next John decides to re-download  the game, but this time  name it
    something  different,  he  chooses  to  name  it(when  prompted by
    client) write.exe,  but he  saves it  to his  home directory.   He
    once again tried  to run it  from his available  drives folder and
    w00p!   it started  up.   Now sure,  one person  running a game of
    some  sort  isn't  that   big  of  a  deal,   but  think  of   the
    possibilities.   What if  he renamed  another, far  more malicious
    file write.exe?  xDeath tested several executables with this  hole
    and was able  to load a  login/password logger from  a normal user
    account that would start on boot-up.  Also, from a normal user  he
    was able  to view  and change  files/directories/drives that  were
    specified  as  hidden  and  "unaccessible"  thru  VCasel by simply
    copying  and  renaming  File   Manager.   The  ramifications   are
    practically endless.

SOLUTION

    No fix/patch is presently available.