lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 25 Jan 2012 10:55:41 -0800
From: Gage Bystrom <themadichib0d@...il.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Re: VNC viewers: Clipboard of host automatically
 sent to remote machine

What was the "offlist" message he was referring to? Cause yeah, he sounds
pretty new here with that kind of message. People bring in outside
conversations all the time, especially if they feel it is relevant to the
topic at hand.

Speaking of the topic at hand: I agree with the crowd that says it is not
explicitly a security bug, but more like a lack of a good feature. It
should be off by default, and someone on the list already made a patch to
remove the clipboard which you shouldn't be using for sensitive information
while connected to untrustworthy computers anyways. The developers should
be notified that they need the feature to turn clipboard sharing off, but
if they don't choose a different vnc and be on your way.

I don't view it as a security bug because its policy bug. It's not
something where "this problem exists ergo I can exploit it", its a problem
where "if they do something stupid, I can take advantage of it, and oh hey
their client by default doesn't mitigate this."

And before someone yells at me for how I seperate software bugs and policy
bugs by pointing out something like a client side attack: I view such
things as a mix. Policy bug that they are falling for it, and software bug
for the actual exploit.

And really this is a good example of a situation where if you are worried
about this you have bigger problems. Why must you use vnc? Why is what
you're connecting to untrustworthy? What information is directly at risk if
the box you're connecting to is compromised? What information is indirectly
at risk? Does the box running suspicious programs have access to the
internet? Etc.

Once you start going down the list on things that should be done, the need
to worry about this kind of bug becomes less and less relevant. Meaning if
this kind of problem IS relevant then I would almost bet money that you are
doing other things really wrong and so an attacker or a bad app doesn't
need to use this because they got far more easier and more rewarding things
to try.
On Jan 25, 2012 9:45 AM, "coderman" <coderman@...il.com> wrote:

> On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch <news@...ksch.org> wrote:
> > Dear coderman,
> >
> > posting mails that were explicitly marked "offlist" on the public list is
> > no-go.
>
> you must be new around here... why not let everyone learn from your fail?
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ