Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine

[Ben Bucksch <news@xxxxxxxxxxx>]

On 24.01.2012 19:18, Mario Vilas wrote:
> You're reporting that if you copy and paste sensitive information and
> connect to a VNC session your clipboard data gets sent to the remote
> machine. That's pretty obvious

If I have a VNC window somewhere on my desktop (in my case a virtual 
desktop or minimized), and continue with my work, 3 hours later when I 
work on some document or use some webapp, I don't remember that I have 
VNC session open and no, it's not obvious at all that this other host 
can read the communication between my local apps.

> On top of that, the attack scenario doesn't sound too good either. I
> fail to see why would you need to copy&paste a password to access an
> untrusted machine and then worry that machine might get to see the
> password to itself.

You misunderstood. The remote machine can see *any* clipboard entries, 
even if I do something entirely different in a completely different 
application. I am browsing or using SSH and paste my password there, 
because the FF password manager failed, or I'm in a word processor or 
email app and write some document, which is entirely unrelated to the 
VNC session. I haven't looked at the VNC host since hours (but I have it 
constantly open for tasks that I need to do with untrusted software in a 
jail).

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/