[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
- From: Ben Bucksch <news@xxxxxxxxxxx>
- Date: Wed, 25 Jan 2012 11:52:36 +0100
On 25.01.2012 08:44, Peter Osterberg wrote:
> I don't think that is what Ben is saying. The clipboard get sent to the
> the server even before it is pasted, this happens without the user
> knowing of it.
>
> Notepad would have the paste button grayed otherwise, if the clipboard
> is empty, right? So it is already on the server before paste is pressed.
Exactly. I take offense in that "without the user knowing it" part.
I chose my reproduction specifically with a mouse action and not Ctrl-V
so that the VNC viewer cannot know I tried to paste in notepad.exe and
cannot have transmitted the information at that moment only. It means
that Windows had the information all along, at the moment when I copied,
which means the remote Windows reads all my copies on the local X11, not
just when I paste in Windows. That and only that is the problem.
Possible solution, concretely:
"Paste" button on VNC viewer toolbar
If the user presses the button, the viewer sends the clipboard to the
remote machine at that moment, and then triggers a Ctrl-V keypress in
the remove machine.
If the user doesn't press the button, but focuses the VNC viewer and
presses Ctrl-V, the viewer sends the clipboard to the remote machine and
only then sends the Ctrl-V to the remote machine.
In both cases, mouse or keyboard, you wouldn't need any more actions in
practice. You still do Ctrl-C in your Linux app, switch to the viewer,
press Ctrl-V there, and you got the text in notepad.exe.
Of course that would be configurable so that you can change they key
combo, e.g. for Macs, or to disable sending the key combo after the
Paste button, or to disable the clipboard entirely.
Dan Yefimov,
the RFB specification from 2007 happens to be linked from the page I
mentioned, and funny enough... copy&paste / clipboard isn't mentioned
with a single word either.
Now, obviously, it is possible somehow, because it's working, so there
is some way, but it was never part of the protocol.
And it cannot be claimed that every user somehow naturally knows how
exactly it works and he realizes what it implies concretely for his work.
Ben
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/