lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 25 Jan 2012 11:52:36 +0100
From: Ben Bucksch <news@...ksch.org>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: VNC viewers: Clipboard of host automatically
 sent to remote machine

On 25.01.2012 08:44, Peter Osterberg wrote:
> I don't think that is what Ben is saying. The clipboard get sent to the
> the server even before it is pasted, this happens without the user
> knowing of it.
>
> Notepad would have the paste button grayed otherwise, if the clipboard
> is empty, right? So it is already on the server before paste is pressed.

Exactly. I take offense in that "without the user knowing it" part.

I chose my reproduction specifically with a mouse action and not Ctrl-V 
so that the VNC viewer cannot know I tried to paste in notepad.exe and 
cannot have transmitted the information at that moment only. It means 
that Windows had the information all along, at the moment when I copied, 
which means the remote Windows reads all my copies on the local X11, not 
just when I paste in Windows. That and only that is the problem.


Possible solution, concretely:
"Paste" button on VNC viewer toolbar
If the user presses the button, the viewer sends the clipboard to the 
remote machine at that moment, and then triggers a Ctrl-V keypress in 
the remove machine.
If the user doesn't press the button, but focuses the VNC viewer and 
presses Ctrl-V, the viewer sends the clipboard to the remote machine and 
only then sends the Ctrl-V to the remote machine.

In both cases, mouse or keyboard, you wouldn't need any more actions in 
practice. You still do Ctrl-C in your Linux app, switch to the viewer, 
press Ctrl-V there, and you got the text in notepad.exe.

Of course that would be configurable so that you can change they key 
combo, e.g. for Macs, or to disable sending the key combo after the 
Paste button, or to disable the clipboard entirely.


Dan Yefimov,

the RFB specification from 2007 happens to be linked from the page I 
mentioned, and funny enough... copy&paste / clipboard isn't mentioned 
with a single word either.

Now, obviously, it is possible somehow, because it's working, so there 
is some way, but it was never part of the protocol.
And it cannot be claimed that every user somehow naturally knows how 
exactly it works and he realizes what it implies concretely for his work.

Ben

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ