lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F1EFABB.6020200@bucksch.org>
Date: Tue, 24 Jan 2012 19:38:51 +0100
From: Ben Bucksch <news@...ksch.org>
To: Mario Vilas <mvilas@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: VNC viewers: Clipboard of host automatically
 sent to remote machine

On 24.01.2012 19:18, Mario Vilas wrote:
> You're reporting that if you copy and paste sensitive information and
> connect to a VNC session your clipboard data gets sent to the remote
> machine. That's pretty obvious

If I have a VNC window somewhere on my desktop (in my case a virtual 
desktop or minimized), and continue with my work, 3 hours later when I 
work on some document or use some webapp, I don't remember that I have 
VNC session open and no, it's not obvious at all that this other host 
can read the communication between my local apps.

> On top of that, the attack scenario doesn't sound too good either. I
> fail to see why would you need to copy&paste a password to access an
> untrusted machine and then worry that machine might get to see the
> password to itself.

You misunderstood. The remote machine can see *any* clipboard entries, 
even if I do something entirely different in a completely different 
application. I am browsing or using SSH and paste my password there, 
because the FF password manager failed, or I'm in a word processor or 
email app and write some document, which is entirely unrelated to the 
VNC session. I haven't looked at the VNC host since hours (but I have it 
constantly open for tasks that I need to do with untrusted software in a 
jail).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ