lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <4F1F0A29.8090809@coochey.net>
Date: Tue, 24 Jan 2012 19:44:41 +0000
From: Giles Coochey <giles@...chey.net>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: VNC viewers: Clipboard of host automatically
 sent to remote machine

On 24/01/2012 19:20, Ben Bucksch wrote:
> On 24.01.2012 20:08, Giles Coochey wrote:
>> I have seen this is an often requested feature
> Yes, I understand. It can be highly useful. That's why I proposed to
> make a "Paste" button in the main toolbar (probably with a keyboard
> shortcut, too). So, the user would have to press one more button / key
> (3 actions instead of 2) to for the information to travel to the remote
> host. Compared to the risk, I think that's an acceptable tradeoff.
>
> Please tell me that you have never ever copied a password (or anything
> else highly sensitive) using the clipboard.
I have done this, and I have understood the risks.
>
> I guess what makes my case and the government agency case different is
> that for you and others, VNC is typically the primary focus, but here on
> my machine it's running all the time, I have several test machines with
> untrusted software running and connected *always*.
>
In my personal experience there was a case (a CDE - credit card data 
environment) where clipboard segregation between remote and local 
systems was a requirement. It was in this case that Citrix was chosen 
over other compteting 'remote-application' products because of a feature 
it had to disable the seamless clipboard functionality.

I think it is the case on whether this is a security issue depends on 
whether the VNC viewer in question is a fit tool for what you're using 
it for. Otherwise others may say it's a feature and not a bug, or at 
least your bug is my feature. I would see if you could ask them to have 
it as an optional feature though.

I would confirm that patch functions first - I found it in a thread 
regarding errors connecting to Mac OS X servers, and from the patch 
information, it may only stop the clipboard from server to client and 
not vice versa, but having seen it, I would imagine that you can find 
all the clipboard functions in the source and pretty much comment out 
their code.



Download attachment "smime.p7s" of type "application/pkcs7-signature" (4320 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ