Home page logo
  • Nmap Security Scanner
  • Security Lists
  • Security Tools
  • Site News
  • Advertising
  • About/Contact
  • Sponsors:



/

fulldisclosure logo Full Disclosure mailing list archives

Re: VNC viewers: Clipboard of host automatically sent to remote machine
From: Giles Coochey <giles () coochey net>
Date: Tue, 24 Jan 2012 19:44:41 +0000
On 24/01/2012 19:20, Ben Bucksch wrote:

On 24.01.2012 20:08, Giles Coochey wrote:

I have seen this is an often requested feature

Yes, I understand. It can be highly useful. That's why I proposed to
make a "Paste" button in the main toolbar (probably with a keyboard
shortcut, too). So, the user would have to press one more button / key
(3 actions instead of 2) to for the information to travel to the remote
host. Compared to the risk, I think that's an acceptable tradeoff.

Please tell me that you have never ever copied a password (or anything
else highly sensitive) using the clipboard.

I have done this, and I have understood the risks.


I guess what makes my case and the government agency case different is
that for you and others, VNC is typically the primary focus, but here on
my machine it's running all the time, I have several test machines with
untrusted software running and connected *always*.
In my personal experience there was a case (a CDE - credit card data environment) where clipboard segregation between remote and local systems was a requirement. It was in this case that Citrix was chosen over other compteting 'remote-application' products because of a feature it had to disable the seamless clipboard functionality.
I think it is the case on whether this is a security issue depends on whether the VNC viewer in question is a fit tool for what you're using it for. Otherwise others may say it's a feature and not a bug, or at least your bug is my feature. I would see if you could ask them to have it as an optional feature though.
I would confirm that patch functions first - I found it in a thread regarding errors connecting to Mac OS X servers, and from the patch information, it may only stop the clipboard from server to client and not vice versa, but having seen it, I would imagine that you can find all the clipboard functions in the source and pretty much comment out their code.

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]