lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4F1EB380.3040701@bucksch.org>
Date: Tue, 24 Jan 2012 14:34:56 +0100
From: Ben Bucksch <news@...ksch.org>
To: full-disclosure@...ts.grok.org.uk
Subject: VNC viewers: Clipboard of host automatically sent
	to remote machine

Affected Products: GNOME Vinagre and many other VNC viewers

Reproduction:
1. On your trusted desktop (e.g. Linux), open a text editor
2. Type "My password", select the text, and hit Ctrl-C
3. Open a Vinagre VNC connection to a remote host, e.g. running an 
untrusted Windows
4. On the remote Windows host, open notepad.exe
5. In notepad's menu bar, using the mouse, click on Edit|Paste

Actual result:
notepad.exe shows "My password"
Expected result:
Nothing.

Impact:
Because I use a different password for every service, I have to 
copy&paste them
(on my trusted desktop).

However, the remote machine is not trusted. In some cases, it's owned by 
a different company, in other cases I use VNC and a different machine 
specifically because I don't trust the software and want it jailed. If 
the untrusted host can get to my passwords from my trusted desktop, 
that's a critical security hole, because my passwords leak, and they may 
well give full access to other machines, my bank account or other highly 
sensitive data.

Affected users:
Using VNC is common usage pattern also used by government agencies
handling highly sensible documents (on the trusted host desktop system)
while moving dangerous but necessary uses like Internet access, Windows 
system
and similar needs on physically different machines that are accessed via 
VNC.
The purpose is that the untrusted system has no way to get to the 
information
on the trusted desktop, but that assumption is violated here.

Even normal users will be at risk. Many copy&paste passwords, or they 
copy&paste snipplets of sensitive Word processing documents, e.g. 
business plans.

Solution:
Given that most users are unaware of this risk, although the danger may 
nevertheless be very real for them, it is necessary for the default 
configuration to be secure. They cannot be expected to actively change 
preferences or the software to protect themselves, because the problem 
isn't obvious in the first place.

   Possible solutions:
1) a pref, with default off and a clear warning about this problem, 
because many users will not be aware of it. A pref with default on or 
without a clear warning is *not* sufficient.
2) Better yet: A button on the toolbar "Copy clipboard" Text is copied 
from host desktop clipboard to remote machine clipboard only when that 
button is pressed.
3) A combination of 1) and 2)

Vendor response:
The maintainer of the application has been informed via bugzilla, but 
has refused to acknowledge it as security problem.
https://bugzilla.gnome.org/show_bug.cgi?id=668544

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ