lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 3 Dec 2013 08:59:18 +0100
From: Fran <jfrancisco.bolivar@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject:  [CVE-2013-6237] ISL Light - Desktop 3.5.4,
 Clipboard security issue

CVE-2013-6237:ISL Light - Desktop 3.5.4, Clipboard security issue


In cases where a person is hosting a sharing session and allows a remote
user to see what is happening on the local PC, it’s been discovered that if
you locally copy something like a hidden password to the local clipboard,
then the remote user will be able to directly paste it in clear text into a
notepad or other form of document, effectively gaining access to the
password. Not possible to lock this functionality.


Example,
1.       You start ISLonline Console session
2.       External consultant joins session using ISLonline Support
3.       You copy a password into your computers copy buffer
      a.       E.g. from KeePass Password Manager
4.       Security issue: External consultants can now paste your password
into e.g. his own Notepad as see it in clear text
      a.      Password is revealed
      b.      The other problem is that password remain in his copy buffer
after session ends
      c.      E.g. KeePass’s auto clean copy buffer feature does not
prevent problem


Vendor: http://www.islonline.com/

Vendor issue code: ISLLIGHT-557,
http://www.islonline.com/help/isl-releases-info/any/manual/?2013-11-29-rel-info-isl-light-desktop-plugin-1-4-7-win.htm

Affected product: ISL light 3.5.4 compiled on Sep 26 2013 revision 30035

Solved: ISL Light Desktop plugin for Windows 1.4.7 (2013-11-29)

Credit: This issue was reported by Juan Francisco Bolivar
es.linkedin.com/in/jfbolivar/
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6237

J. Francisco Bolivar

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ