lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CALCvwp5NW=0fyHjyNmFZ2WHUnOLXQFMWrYE4OpgBESeU3qp-Qg@mail.gmail.com>
Date: Wed, 25 Jan 2012 22:04:47 +1100
From: GloW - XD <doomxd@...il.com>
To: Christian Sciberras <uuf6429@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: VNC viewers: Clipboard of host automatically
 sent to remote machine

and stupidly, you forgot to addin the second PRIVT post i sent you,
saying i meant *insecure :)
now, go try tell me windows vnc is secure again...and, then setup a
vnc on your box, and, under win32, try your best, when your ready,
yell out, so i can make a compete fucking fool of ya.
ok ?
if this is how you want to play, i am challenging you, if i can own a
shitty windows setup you 'secure' as best you8 can, here on fd, is
this trolling is it ?
its a challenge... maybe, if you read the lame rfb and, pixelisation
via IP KVM, unfortunately for windows, it aint any different, a pixel
is placed at X or Y, and, you can place data calls to it, from server
wich, could be, my bot :)
want more proof,...keep going with my challenge then.


On 25 January 2012 21:38, Christian Sciberras <uuf6429@...il.com> wrote:
> No, I only read the manual.
>
> Now go troll somwhere else. :)
>
> On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD <doomxd@...il.com> wrote:
>>
>> Windows is even more secure, have you actually, read any of the code /
>>
>>
>> On 25 January 2012 21:30, Christian Sciberras <uuf6429@...il.com> wrote:
>> > That's not necessarily true. On windows you can add custom
>> > clipboard formats
>> > that would contain a 'link' to the original source, causing the data
>> > to be
>> > actually
>> > passed when pasting. An example of this is when one copy+pastes a file.
>> > See the Windows Clipboard API for more info.
>> >
>> > Chris.
>> >
>> >
>> >
>> > On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas <mvilas@...il.com> wrote:
>> >>
>> >> I'm not sure how the clipboard works in Linux desktops (I understand
>> >> it's a little different), but at least in Windows environments data
>> >> has to be copied to the clipboard when you hit Ctrl-C. It can't be
>> >> copied when you hit Ctrl-V because then the applications wouldn't know
>> >> if there is anything to paste (like you said, the button would be
>> >> grayed).
>> >>
>> >> So to replicate this behavior it's necessary to send the data as it's
>> >> copied, not as it's pasted. Most (not all, but most) desktop systems
>> >> assume clipboard data can be freely shared with all applications and
>> >> don't have any kind of isolation at all. VNC was designed with the
>> >> same idea.
>> >>
>> >> The bottom line is, the problem here is using VNC for what Ben is
>> >> using it. There are many more problems with that scenario and
>> >> clipboard sharing may be the least of them.
>> >>
>> >> On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg <j@....nu> wrote:
>> >> > On 01/24/2012 07:18 PM, Mario Vilas wrote:
>> >> >>> Guys, could you please read carefully everything before you reply?
>> >> >> I read carefully. It still didn't make sense, though.
>> >> >>
>> >> >>> And you wouldn't be allowed to use copy&paste while you edit
>> >> >>> sensitive
>> >> >>> documents either, I guess?
>> >> >> I don't know how you could get to such a conclusion from what I
>> >> >> wrote.
>> >> >>
>> >> >> You're reporting that if you copy and paste sensitive information
>> >> >> and
>> >> >> connect to a VNC session your clipboard data gets sent to the remote
>> >> >> machine. That's pretty obvious and not a security hole that needs to
>> >> >> be plugged.
>> >> >
>> >> > I don't think that is what Ben is saying. The clipboard get sent to
>> >> > the
>> >> > the server even before it is pasted, this happens without the user
>> >> > knowing of it.
>> >> >
>> >> > Notepad would have the paste button grayed otherwise, if the
>> >> > clipboard
>> >> > is empty, right? So it is already on the server before paste is
>> >> > pressed.
>> >> >
>> >> > So what ever was in the clipboard buffer is transmitted to the server
>> >> > on
>> >> > connection.
>> >> >
>> >> > This is at least the assumption I make from reading Ben's mails.
>> >> > Or...
>> >> > Is there a cliboard flag saying there is something on the clipboard,
>> >> > but
>> >> > it isn't transmitted until the user actually pastes? I haven't really
>> >> > got any experience with how the clipboard feature is implemented. My
>> >> > assumption is however that it has to be on server for notepad to be
>> >> > aware that Paste shouldn't be grayed out...
>> >> >
>> >> > I think Ben's report make complete sense actually, it would be better
>> >> > to
>> >> > have the clipboard feature as a default. Security before features...
>> >> > =)
>> >> >
>> >> > _______________________________________________
>> >> > Full-Disclosure - We believe in it.
>> >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> > Hosted and sponsored by Secunia - http://secunia.com/
>> >>
>> >>
>> >>
>> >> --
>> >> “There's a reason we separate military and the police: one fights the
>> >> enemy of the state, the other serves and protects the people. When the
>> >> military becomes both, then the enemies of the state tend to become
>> >> the people.”
>> >>
>> >> _______________________________________________
>> >> Full-Disclosure - We believe in it.
>> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> >> Hosted and sponsored by Secunia - http://secunia.com/
>> >
>> >
>> >
>> > _______________________________________________
>> > Full-Disclosure - We believe in it.
>> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> > Hosted and sponsored by Secunia - http://secunia.com/
>
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ