[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine



For the record...
who are the other 'many on this list' that know you don't troll other than
your alter egos?
'course you don't troll.... can you quote me where I ever said VNC is
secure?

With that, I'll let you troll in peace. I have no interest talking to you
anyway... :)



On Wed, Jan 25, 2012 at 12:04 PM, GloW - XD <doomxd@xxxxxxxxx> wrote:

> and stupidly, you forgot to addin the second PRIVT post i sent you,
> saying i meant *insecure :)
> now, go try tell me windows vnc is secure again...and, then setup a
> vnc on your box, and, under win32, try your best, when your ready,
> yell out, so i can make a compete fucking fool of ya.
> ok ?
> if this is how you want to play, i am challenging you, if i can own a
> shitty windows setup you 'secure' as best you8 can, here on fd, is
> this trolling is it ?
> its a challenge... maybe, if you read the lame rfb and, pixelisation
> via IP KVM, unfortunately for windows, it aint any different, a pixel
> is placed at X or Y, and, you can place data calls to it, from server
> wich, could be, my bot :)
> want more proof,...keep going with my challenge then.
>
>
> On 25 January 2012 21:38, Christian Sciberras <uuf6429@xxxxxxxxx> wrote:
> > No, I only read the manual.
> >
> > Now go troll somwhere else. :)
> >
> > On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD <doomxd@xxxxxxxxx> wrote:
> >>
> >> Windows is even more secure, have you actually, read any of the code /
> >>
> >>
> >> On 25 January 2012 21:30, Christian Sciberras <uuf6429@xxxxxxxxx>
> wrote:
> >> > That's not necessarily true. On windows you can add custom
> >> > clipboard formats
> >> > that would contain a 'link' to the original source, causing the data
> >> > to be
> >> > actually
> >> > passed when pasting. An example of this is when one copy+pastes a
> file.
> >> > See the Windows Clipboard API for more info.
> >> >
> >> > Chris.
> >> >
> >> >
> >> >
> >> > On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas <mvilas@xxxxxxxxx>
> wrote:
> >> >>
> >> >> I'm not sure how the clipboard works in Linux desktops (I understand
> >> >> it's a little different), but at least in Windows environments data
> >> >> has to be copied to the clipboard when you hit Ctrl-C. It can't be
> >> >> copied when you hit Ctrl-V because then the applications wouldn't
> know
> >> >> if there is anything to paste (like you said, the button would be
> >> >> grayed).
> >> >>
> >> >> So to replicate this behavior it's necessary to send the data as it's
> >> >> copied, not as it's pasted. Most (not all, but most) desktop systems
> >> >> assume clipboard data can be freely shared with all applications and
> >> >> don't have any kind of isolation at all. VNC was designed with the
> >> >> same idea.
> >> >>
> >> >> The bottom line is, the problem here is using VNC for what Ben is
> >> >> using it. There are many more problems with that scenario and
> >> >> clipboard sharing may be the least of them.
> >> >>
> >> >> On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg <j@xxxxxx> wrote:
> >> >> > On 01/24/2012 07:18 PM, Mario Vilas wrote:
> >> >> >>> Guys, could you please read carefully everything before you
> reply?
> >> >> >> I read carefully. It still didn't make sense, though.
> >> >> >>
> >> >> >>> And you wouldn't be allowed to use copy&paste while you edit
> >> >> >>> sensitive
> >> >> >>> documents either, I guess?
> >> >> >> I don't know how you could get to such a conclusion from what I
> >> >> >> wrote.
> >> >> >>
> >> >> >> You're reporting that if you copy and paste sensitive information
> >> >> >> and
> >> >> >> connect to a VNC session your clipboard data gets sent to the
> remote
> >> >> >> machine. That's pretty obvious and not a security hole that needs
> to
> >> >> >> be plugged.
> >> >> >
> >> >> > I don't think that is what Ben is saying. The clipboard get sent to
> >> >> > the
> >> >> > the server even before it is pasted, this happens without the user
> >> >> > knowing of it.
> >> >> >
> >> >> > Notepad would have the paste button grayed otherwise, if the
> >> >> > clipboard
> >> >> > is empty, right? So it is already on the server before paste is
> >> >> > pressed.
> >> >> >
> >> >> > So what ever was in the clipboard buffer is transmitted to the
> server
> >> >> > on
> >> >> > connection.
> >> >> >
> >> >> > This is at least the assumption I make from reading Ben's mails.
> >> >> > Or...
> >> >> > Is there a cliboard flag saying there is something on the
> clipboard,
> >> >> > but
> >> >> > it isn't transmitted until the user actually pastes? I haven't
> really
> >> >> > got any experience with how the clipboard feature is implemented.
> My
> >> >> > assumption is however that it has to be on server for notepad to be
> >> >> > aware that Paste shouldn't be grayed out...
> >> >> >
> >> >> > I think Ben's report make complete sense actually, it would be
> better
> >> >> > to
> >> >> > have the clipboard feature as a default. Security before
> features...
> >> >> > =)
> >> >> >
> >> >> > _______________________________________________
> >> >> > Full-Disclosure - We believe in it.
> >> >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> >> > Hosted and sponsored by Secunia - http://secunia.com/
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> “There's a reason we separate military and the police: one fights the
> >> >> enemy of the state, the other serves and protects the people. When
> the
> >> >> military becomes both, then the enemies of the state tend to become
> >> >> the people.”
> >> >>
> >> >> _______________________________________________
> >> >> Full-Disclosure - We believe in it.
> >> >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> >> Hosted and sponsored by Secunia - http://secunia.com/
> >> >
> >> >
> >> >
> >> > _______________________________________________
> >> > Full-Disclosure - We believe in it.
> >> > Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >> > Hosted and sponsored by Secunia - http://secunia.com/
> >
> >
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/