lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 25 Jan 2012 08:44:48 +0100
From: Peter Osterberg <j@....nu>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: VNC viewers: Clipboard of host automatically
 sent to remote machine

On 01/24/2012 07:18 PM, Mario Vilas wrote:
>> Guys, could you please read carefully everything before you reply?
> I read carefully. It still didn't make sense, though.
>
>> And you wouldn't be allowed to use copy&paste while you edit sensitive
>> documents either, I guess?
> I don't know how you could get to such a conclusion from what I wrote.
>
> You're reporting that if you copy and paste sensitive information and
> connect to a VNC session your clipboard data gets sent to the remote
> machine. That's pretty obvious and not a security hole that needs to
> be plugged.

I don't think that is what Ben is saying. The clipboard get sent to the
the server even before it is pasted, this happens without the user
knowing of it.

Notepad would have the paste button grayed otherwise, if the clipboard
is empty, right? So it is already on the server before paste is pressed.

So what ever was in the clipboard buffer is transmitted to the server on
connection.

This is at least the assumption I make from reading Ben's mails. Or...
Is there a cliboard flag saying there is something on the clipboard, but
it isn't transmitted until the user actually pastes? I haven't really
got any experience with how the clipboard feature is implemented. My
assumption is however that it has to be on server for notepad to be
aware that Paste shouldn't be grayed out...

I think Ben's report make complete sense actually, it would be better to
have the clipboard feature as a default. Security before features... =)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ