Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: VNC viewers: Clipboard of host automatically sent to remote machine
From: Gage Bystrom <themadichib0d () gmail com>
Date: Wed, 25 Jan 2012 10:55:41 -0800

What was the "offlist" message he was referring to? Cause yeah, he sounds
pretty new here with that kind of message. People bring in outside
conversations all the time, especially if they feel it is relevant to the
topic at hand.

Speaking of the topic at hand: I agree with the crowd that says it is not
explicitly a security bug, but more like a lack of a good feature. It
should be off by default, and someone on the list already made a patch to
remove the clipboard which you shouldn't be using for sensitive information
while connected to untrustworthy computers anyways. The developers should
be notified that they need the feature to turn clipboard sharing off, but
if they don't choose a different vnc and be on your way.

I don't view it as a security bug because its policy bug. It's not
something where "this problem exists ergo I can exploit it", its a problem
where "if they do something stupid, I can take advantage of it, and oh hey
their client by default doesn't mitigate this."

And before someone yells at me for how I seperate software bugs and policy
bugs by pointing out something like a client side attack: I view such
things as a mix. Policy bug that they are falling for it, and software bug
for the actual exploit.

And really this is a good example of a situation where if you are worried
about this you have bigger problems. Why must you use vnc? Why is what
you're connecting to untrustworthy? What information is directly at risk if
the box you're connecting to is compromised? What information is indirectly
at risk? Does the box running suspicious programs have access to the
internet? Etc.

Once you start going down the list on things that should be done, the need
to worry about this kind of bug becomes less and less relevant. Meaning if
this kind of problem IS relevant then I would almost bet money that you are
doing other things really wrong and so an attacker or a bad app doesn't
need to use this because they got far more easier and more rewarding things
to try.
On Jan 25, 2012 9:45 AM, "coderman" <coderman () gmail com> wrote:

On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch <news () bucksch org> wrote:
Dear coderman,

posting mails that were explicitly marked "offlist" on the public list is
no-go.

you must be new around here... why not let everyone learn from your fail?

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]