[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine



I'm not sure how the clipboard works in Linux desktops (I understand
it's a little different), but at least in Windows environments data
has to be copied to the clipboard when you hit Ctrl-C. It can't be
copied when you hit Ctrl-V because then the applications wouldn't know
if there is anything to paste (like you said, the button would be
grayed).

So to replicate this behavior it's necessary to send the data as it's
copied, not as it's pasted. Most (not all, but most) desktop systems
assume clipboard data can be freely shared with all applications and
don't have any kind of isolation at all. VNC was designed with the
same idea.

The bottom line is, the problem here is using VNC for what Ben is
using it. There are many more problems with that scenario and
clipboard sharing may be the least of them.

On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg <j@xxxxxx> wrote:
> On 01/24/2012 07:18 PM, Mario Vilas wrote:
>>> Guys, could you please read carefully everything before you reply?
>> I read carefully. It still didn't make sense, though.
>>
>>> And you wouldn't be allowed to use copy&paste while you edit sensitive
>>> documents either, I guess?
>> I don't know how you could get to such a conclusion from what I wrote.
>>
>> You're reporting that if you copy and paste sensitive information and
>> connect to a VNC session your clipboard data gets sent to the remote
>> machine. That's pretty obvious and not a security hole that needs to
>> be plugged.
>
> I don't think that is what Ben is saying. The clipboard get sent to the
> the server even before it is pasted, this happens without the user
> knowing of it.
>
> Notepad would have the paste button grayed otherwise, if the clipboard
> is empty, right? So it is already on the server before paste is pressed.
>
> So what ever was in the clipboard buffer is transmitted to the server on
> connection.
>
> This is at least the assumption I make from reading Ben's mails. Or...
> Is there a cliboard flag saying there is something on the clipboard, but
> it isn't transmitted until the user actually pastes? I haven't really
> got any experience with how the clipboard feature is implemented. My
> assumption is however that it has to be on server for notepad to be
> aware that Paste shouldn't be grayed out...
>
> I think Ben's report make complete sense actually, it would be better to
> have the clipboard feature as a default. Security before features... =)
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/



-- 
“There's a reason we separate military and the police: one fights the
enemy of the state, the other serves and protects the people. When the
military becomes both, then the enemies of the state tend to become
the people.”

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/