Full Disclosure mailing list archives

Re: VNC viewers: Clipboard of host automatically sent to remote machine

From: Giles Coochey <giles () coochey net>
Date: Tue, 24 Jan 2012 19:44:41 +0000

On 24/01/2012 19:20, Ben Bucksch wrote:

On 24.01.2012 20:08, Giles Coochey wrote:

I have seen this is an often requested feature

Yes, I understand. It can be highly useful. That's why I proposed to
make a "Paste" button in the main toolbar (probably with a keyboard
shortcut, too). So, the user would have to press one more button / key
(3 actions instead of 2) to for the information to travel to the remote
host. Compared to the risk, I think that's an acceptable tradeoff.

Please tell me that you have never ever copied a password (or anything
else highly sensitive) using the clipboard.

I have done this, and I have understood the risks.


I guess what makes my case and the government agency case different is
that for you and others, VNC is typically the primary focus, but here on
my machine it's running all the time, I have several test machines with
untrusted software running and connected *always*.

In my personal experience there was a case (a CDE - credit card dataenvironment) where clipboard segregation between remote and localsystems was a requirement. It was in this case that Citrix was chosenover other compteting 'remote-application' products because of a featureit had to disable the seamless clipboard functionality.

I think it is the case on whether this is a security issue depends onwhether the VNC viewer in question is a fit tool for what you're usingit for. Otherwise others may say it's a feature and not a bug, or atleast your bug is my feature. I would see if you could ask them to haveit as an optional feature though.

I would confirm that patch functions first - I found it in a threadregarding errors connecting to Mac OS X servers, and from the patchinformation, it may only stop the clipboard from server to client andnot vice versa, but having seen it, I would imagine that you can findall the clipboard functions in the source and pretty much comment outtheir code.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

VNC viewers: Clipboard of host automatically sent to remote machine Ben Bucksch (Jan 24)
- Re: VNC viewers: Clipboard of host automatically sent to remote machine Giles Coochey (Jan 24)
  - Re: VNC viewers: Clipboard of host automatically sent to remote machine Ben Bucksch (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Giles Coochey (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Ben Bucksch (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Giles Coochey (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Nick FitzGerald (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Dan Kaminsky (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Ben Bucksch (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Henri Salo (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Ben Bucksch (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine coderman (Jan 24)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Valdis . Kletnieks (Jan 24)
    - Message not available
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine coderman (Jan 25)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Gage Bystrom (Jan 25)
    - Re: VNC viewers: Clipboard of host automatically sent to remote machine Carlos Pantelides (Jan 25)

(Thread continues...)