Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Why yes, yes there is. :) More of a distinction, in fact, than there is in Linux world! On Thu, Jan 26, 2012 at 9:02 AM, valdis.kletni...@vt.edu wrote: On Wed, 25 Jan 2012 17:54:02 PST, Alyx said: Are you looking at kernel code or userland code? (: Is there a clear distinction in the Windows world? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Are you looking at kernel code or userland code? (: On Wed, Jan 25, 2012 at 2:35 AM, GloW - XD doo...@gmail.com wrote: INSECURE i mean* On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Wed, 25 Jan 2012 17:54:02 PST, Alyx said: Are you looking at kernel code or userland code? (: Is there a clear distinction in the Windows world? :) pgpD56WqAeNhf.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Yes :| -- phocean 0...@phocean.net Le jeudi 26 janvier 2012 à 12:02 -0500, valdis.kletni...@vt.edu a écrit : On Wed, 25 Jan 2012 17:54:02 PST, Alyx said: Are you looking at kernel code or userland code? (: Is there a clear distinction in the Windows world? :) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
have the clipboard disabled... On 01/25/2012 08:44 AM, Peter Osterberg wrote: I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 25.01.2012 5:45, Ben Bucksch wrote: On 25.01.2012 00:52, Henri Salo wrote: On Wed, Jan 25, 2012 at 12:47:28AM +0100, Ben Bucksch wrote: On 25.01.2012 00:09, Dan Kaminsky wrote: IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. What the hell? Seriously.. http://en.wikipedia.org/wiki/VNC hihi. Thanks. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network. The VNC protocol (RFB) is very simple, based on one graphic primitive from server to client ('Put a rectangle of pixel data at the specified X,Y position') and event messages from client to server. Compare to above. Now, the part where it defines that clipboard is also a standard part of VNC... oh, huch, it's not there! (Just a random note that Unicode is impossible, but not that clipboard is defined as part of the protocol at all.) Ah, I know... Surely, it must be on http://en.wikipedia.org/wiki/RFB_protocol... No, same thing there. Strange. It should be strictly understood that something not being mentioned in the Wikipedia article doesn't mean that doesn't exist at all, since Wikipedia is _not_ authoritative information source. The authoritative information source would be the formal specification of the protocol explicitly defining the set of event types and explicitly prohibiting non-defined event types, otherwise implementations are free to define and use their own event types being in fact extensions of the protocol. It's defined nowhere that VNC is _exactly_ open-source IP KVM and nothing more. P.S. I was just reporting bug. I hope at least some software finds a better solution. Have fun. I'd suggest you find alternative product allowing you to explicitly configure that clipboard is not transmitted to the host under control instead of struggling with the product limitations and design flaws. -- Sincerely Yours, Dan. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
you are seriously more retarded than even the n3td3v+me+you together...damn army..! On 25 January 2012 19:29, Peter Osterberg j...@vel.nu wrote: Wasn't the original thread originally about VNC? On 01/25/2012 09:27 AM, GloW - XD wrote: derp, do you know what KVM IP is ? readup on how that relays ;) thats that. XD On 25 January 2012 18:44, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
nice to send THIS one to fd, and you ssomehow admit to knowing it here yet, i told you what it was, exactly, dont try make me look bad fag, or i will drop your fucking domain, for a month :) ciao beech,. xd On 25 January 2012 19:55, Dan Yefimov d...@lightwave.net.ru wrote: On 25.01.2012 5:45, Ben Bucksch wrote: On 25.01.2012 00:52, Henri Salo wrote: On Wed, Jan 25, 2012 at 12:47:28AM +0100, Ben Bucksch wrote: On 25.01.2012 00:09, Dan Kaminsky wrote: IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. What the hell? Seriously.. http://en.wikipedia.org/wiki/VNC hihi. Thanks. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network. The VNC protocol (RFB) is very simple, based on one graphic primitive from server to client ('Put a rectangle of pixel data at the specified X,Y position') and event messages from client to server. Compare to above. Now, the part where it defines that clipboard is also a standard part of VNC... oh, huch, it's not there! (Just a random note that Unicode is impossible, but not that clipboard is defined as part of the protocol at all.) Ah, I know... Surely, it must be on http://en.wikipedia.org/wiki/RFB_protocol... No, same thing there. Strange. It should be strictly understood that something not being mentioned in the Wikipedia article doesn't mean that doesn't exist at all, since Wikipedia is _not_ authoritative information source. The authoritative information source would be the formal specification of the protocol explicitly defining the set of event types and explicitly prohibiting non-defined event types, otherwise implementations are free to define and use their own event types being in fact extensions of the protocol. It's defined nowhere that VNC is _exactly_ open-source IP KVM and nothing more. P.S. I was just reporting bug. I hope at least some software finds a better solution. Have fun. I'd suggest you find alternative product allowing you to explicitly configure that clipboard is not transmitted to the host under control instead of struggling with the product limitations and design flaws. -- Sincerely Yours, Dan. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
ooops my bad, wriong guy, or, you dont understand this either ? On 25 January 2012 19:55, Dan Yefimov d...@lightwave.net.ru wrote: On 25.01.2012 5:45, Ben Bucksch wrote: On 25.01.2012 00:52, Henri Salo wrote: On Wed, Jan 25, 2012 at 12:47:28AM +0100, Ben Bucksch wrote: On 25.01.2012 00:09, Dan Kaminsky wrote: IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. What the hell? Seriously.. http://en.wikipedia.org/wiki/VNC hihi. Thanks. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network. The VNC protocol (RFB) is very simple, based on one graphic primitive from server to client ('Put a rectangle of pixel data at the specified X,Y position') and event messages from client to server. Compare to above. Now, the part where it defines that clipboard is also a standard part of VNC... oh, huch, it's not there! (Just a random note that Unicode is impossible, but not that clipboard is defined as part of the protocol at all.) Ah, I know... Surely, it must be on http://en.wikipedia.org/wiki/RFB_protocol... No, same thing there. Strange. It should be strictly understood that something not being mentioned in the Wikipedia article doesn't mean that doesn't exist at all, since Wikipedia is _not_ authoritative information source. The authoritative information source would be the formal specification of the protocol explicitly defining the set of event types and explicitly prohibiting non-defined event types, otherwise implementations are free to define and use their own event types being in fact extensions of the protocol. It's defined nowhere that VNC is _exactly_ open-source IP KVM and nothing more. P.S. I was just reporting bug. I hope at least some software finds a better solution. Have fun. I'd suggest you find alternative product allowing you to explicitly configure that clipboard is not transmitted to the host under control instead of struggling with the product limitations and design flaws. -- Sincerely Yours, Dan. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
I could never lower myself to your level so I guess you win On 01/25/2012 10:32 AM, GloW - XD wrote: you are seriously more retarded than even the n3td3v+me+you together...damn army..! On 25 January 2012 19:29, Peter Osterberg j...@vel.nu wrote: Wasn't the original thread originally about VNC? On 01/25/2012 09:27 AM, GloW - XD wrote: derp, do you know what KVM IP is ? readup on how that relays ;) thats that. XD On 25 January 2012 18:44, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. No, it's not. I won't go into the differences because other people already did in this thread. And please don't turn this into you're stupid, because I've seen others with the same setup. As mentioned, I know of a government agency with highly competent IT staff who had a similar setup: normal and sensitive work is on the desktop/notebook and Internet access (which is considered insecure) is on a remote machine, with a viewer on the desktop. That proves nothing. For example, there are many SCADA devices owned by government agencies connected to the Internet, but that doesn't mean it's a good idea to do so. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Fair enough :) On Wed, Jan 25, 2012 at 10:59 AM, Peter Osterberg j...@vel.nu wrote: On 01/25/2012 10:54 AM, Mario Vilas wrote: The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. That may very well be true. I am not trying to debate that. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 01/25/2012 10:54 AM, Mario Vilas wrote: The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. That may very well be true. I am not trying to debate that. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Windows is even more secure, have you actually, read any of the code / On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
INSECURE i mean* On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
No, I only read the manual. Now go troll somwhere else. :) On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD doo...@gmail.com wrote: Windows is even more secure, have you actually, read any of the code / On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 25.01.2012 08:44, Peter Osterberg wrote: I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. Exactly. I take offense in that without the user knowing it part. I chose my reproduction specifically with a mouse action and not Ctrl-V so that the VNC viewer cannot know I tried to paste in notepad.exe and cannot have transmitted the information at that moment only. It means that Windows had the information all along, at the moment when I copied, which means the remote Windows reads all my copies on the local X11, not just when I paste in Windows. That and only that is the problem. Possible solution, concretely: Paste button on VNC viewer toolbar If the user presses the button, the viewer sends the clipboard to the remote machine at that moment, and then triggers a Ctrl-V keypress in the remove machine. If the user doesn't press the button, but focuses the VNC viewer and presses Ctrl-V, the viewer sends the clipboard to the remote machine and only then sends the Ctrl-V to the remote machine. In both cases, mouse or keyboard, you wouldn't need any more actions in practice. You still do Ctrl-C in your Linux app, switch to the viewer, press Ctrl-V there, and you got the text in notepad.exe. Of course that would be configurable so that you can change they key combo, e.g. for Macs, or to disable sending the key combo after the Paste button, or to disable the clipboard entirely. Dan Yefimov, the RFB specification from 2007 happens to be linked from the page I mentioned, and funny enough... copypaste / clipboard isn't mentioned with a single word either. Now, obviously, it is possible somehow, because it's working, so there is some way, but it was never part of the protocol. And it cannot be claimed that every user somehow naturally knows how exactly it works and he realizes what it implies concretely for his work. Ben ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
fuckoff you ragdoll... i dont troll, and many on this fucking list knows it... fuckit... i aint paying shit to anyone on this list, enjoy finding your 0days, and, the next admins, go ahead and rm me, coz i will be dropping your ass of a FD , until it makes me. go die, and, maybe, you wont have money, and then, maybe, you will have 10 wives, with 10 kids,. now go eat a burger. rat On 25 January 2012 21:38, Christian Sciberras uuf6...@gmail.com wrote: No, I only read the manual. Now go troll somwhere else. :) On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD doo...@gmail.com wrote: Windows is even more secure, have you actually, read any of the code / On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
and stupidly, you forgot to addin the second PRIVT post i sent you, saying i meant *insecure :) now, go try tell me windows vnc is secure again...and, then setup a vnc on your box, and, under win32, try your best, when your ready, yell out, so i can make a compete fucking fool of ya. ok ? if this is how you want to play, i am challenging you, if i can own a shitty windows setup you 'secure' as best you8 can, here on fd, is this trolling is it ? its a challenge... maybe, if you read the lame rfb and, pixelisation via IP KVM, unfortunately for windows, it aint any different, a pixel is placed at X or Y, and, you can place data calls to it, from server wich, could be, my bot :) want more proof,...keep going with my challenge then. On 25 January 2012 21:38, Christian Sciberras uuf6...@gmail.com wrote: No, I only read the manual. Now go troll somwhere else. :) On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD doo...@gmail.com wrote: Windows is even more secure, have you actually, read any of the code / On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter:
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
For the record... who are the other 'many on this list' that know you don't troll other than your alter egos? 'course you don't troll can you quote me where I ever said VNC is secure? With that, I'll let you troll in peace. I have no interest talking to you anyway... :) On Wed, Jan 25, 2012 at 12:04 PM, GloW - XD doo...@gmail.com wrote: and stupidly, you forgot to addin the second PRIVT post i sent you, saying i meant *insecure :) now, go try tell me windows vnc is secure again...and, then setup a vnc on your box, and, under win32, try your best, when your ready, yell out, so i can make a compete fucking fool of ya. ok ? if this is how you want to play, i am challenging you, if i can own a shitty windows setup you 'secure' as best you8 can, here on fd, is this trolling is it ? its a challenge... maybe, if you read the lame rfb and, pixelisation via IP KVM, unfortunately for windows, it aint any different, a pixel is placed at X or Y, and, you can place data calls to it, from server wich, could be, my bot :) want more proof,...keep going with my challenge then. On 25 January 2012 21:38, Christian Sciberras uuf6...@gmail.com wrote: No, I only read the manual. Now go troll somwhere else. :) On Wed, Jan 25, 2012 at 11:35 AM, GloW - XD doo...@gmail.com wrote: Windows is even more secure, have you actually, read any of the code / On 25 January 2012 21:30, Christian Sciberras uuf6...@gmail.com wrote: That's not necessarily true. On windows you can add custom clipboard formats that would contain a 'link' to the original source, causing the data to be actually passed when pasting. An example of this is when one copy+pastes a file. See the Windows Clipboard API for more info. Chris. On Wed, Jan 25, 2012 at 10:54 AM, Mario Vilas mvi...@gmail.com wrote: I'm not sure how the clipboard works in Linux desktops (I understand it's a little different), but at least in Windows environments data has to be copied to the clipboard when you hit Ctrl-C. It can't be copied when you hit Ctrl-V because then the applications wouldn't know if there is anything to paste (like you said, the button would be grayed). So to replicate this behavior it's necessary to send the data as it's copied, not as it's pasted. Most (not all, but most) desktop systems assume clipboard data can be freely shared with all applications and don't have any kind of isolation at all. VNC was designed with the same idea. The bottom line is, the problem here is using VNC for what Ben is using it. There are many more problems with that scenario and clipboard sharing may be the least of them. On Wed, Jan 25, 2012 at 8:44 AM, Peter Osterberg j...@vel.nu wrote: On 01/24/2012 07:18 PM, Mario Vilas wrote: Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. I don't think that is what Ben is saying. The clipboard get sent to the the server even before it is pasted, this happens without the user knowing of it. Notepad would have the paste button grayed otherwise, if the clipboard is empty, right? So it is already on the server before paste is pressed. So what ever was in the clipboard buffer is transmitted to the server on connection. This is at least the assumption I make from reading Ben's mails. Or... Is there a cliboard flag saying there is something on the clipboard, but it isn't transmitted until the user actually pastes? I haven't really got any experience with how the clipboard feature is implemented. My assumption is however that it has to be on server for notepad to be aware that Paste shouldn't be grayed out... I think Ben's report make complete sense actually, it would be better to have the clipboard feature as a default. Security before features... =) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch n...@bucksch.org wrote: Dear coderman, posting mails that were explicitly marked offlist on the public list is no-go. you must be new around here... why not let everyone learn from your fail? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
What was the offlist message he was referring to? Cause yeah, he sounds pretty new here with that kind of message. People bring in outside conversations all the time, especially if they feel it is relevant to the topic at hand. Speaking of the topic at hand: I agree with the crowd that says it is not explicitly a security bug, but more like a lack of a good feature. It should be off by default, and someone on the list already made a patch to remove the clipboard which you shouldn't be using for sensitive information while connected to untrustworthy computers anyways. The developers should be notified that they need the feature to turn clipboard sharing off, but if they don't choose a different vnc and be on your way. I don't view it as a security bug because its policy bug. It's not something where this problem exists ergo I can exploit it, its a problem where if they do something stupid, I can take advantage of it, and oh hey their client by default doesn't mitigate this. And before someone yells at me for how I seperate software bugs and policy bugs by pointing out something like a client side attack: I view such things as a mix. Policy bug that they are falling for it, and software bug for the actual exploit. And really this is a good example of a situation where if you are worried about this you have bigger problems. Why must you use vnc? Why is what you're connecting to untrustworthy? What information is directly at risk if the box you're connecting to is compromised? What information is indirectly at risk? Does the box running suspicious programs have access to the internet? Etc. Once you start going down the list on things that should be done, the need to worry about this kind of bug becomes less and less relevant. Meaning if this kind of problem IS relevant then I would almost bet money that you are doing other things really wrong and so an attacker or a bad app doesn't need to use this because they got far more easier and more rewarding things to try. On Jan 25, 2012 9:45 AM, coderman coder...@gmail.com wrote: On Wed, Jan 25, 2012 at 2:55 AM, Ben Bucksch n...@bucksch.org wrote: Dear coderman, posting mails that were explicitly marked offlist on the public list is no-go. you must be new around here... why not let everyone learn from your fail? ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Those who try to manage potentially malicious servers do so over IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. Feature or bug, vnc or ip kvm, the same behavior has a virtual box virtualized machine with shared clipboard. You can choose disabled, direction and bidirectional (by default) Something to keep in mind, at least the beginners like me. Just run in the guest and see your clipboard, sure there are more elegant ways of doing the same. (tested linux in linux with virtual box and linux in mac with vmware) while true; do xsel -p echo xsel -s echo xsel -b echo done Carlos Pantelides - http://seguridad-agile.blogspot.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Affected Products: GNOME Vinagre and many other VNC viewers Reproduction: 1. On your trusted desktop (e.g. Linux), open a text editor 2. Type My password, select the text, and hit Ctrl-C 3. Open a Vinagre VNC connection to a remote host, e.g. running an untrusted Windows 4. On the remote Windows host, open notepad.exe 5. In notepad's menu bar, using the mouse, click on Edit|Paste Actual result: notepad.exe shows My password Expected result: Nothing. Impact: Because I use a different password for every service, I have to copypaste them (on my trusted desktop). However, the remote machine is not trusted. In some cases, it's owned by a different company, in other cases I use VNC and a different machine specifically because I don't trust the software and want it jailed. If the untrusted host can get to my passwords from my trusted desktop, that's a critical security hole, because my passwords leak, and they may well give full access to other machines, my bank account or other highly sensitive data. Affected users: Using VNC is common usage pattern also used by government agencies handling highly sensible documents (on the trusted host desktop system) while moving dangerous but necessary uses like Internet access, Windows system and similar needs on physically different machines that are accessed via VNC. The purpose is that the untrusted system has no way to get to the information on the trusted desktop, but that assumption is violated here. Even normal users will be at risk. Many copypaste passwords, or they copypaste snipplets of sensitive Word processing documents, e.g. business plans. Solution: Given that most users are unaware of this risk, although the danger may nevertheless be very real for them, it is necessary for the default configuration to be secure. They cannot be expected to actively change preferences or the software to protect themselves, because the problem isn't obvious in the first place. Possible solutions: 1) a pref, with default off and a clear warning about this problem, because many users will not be aware of it. A pref with default on or without a clear warning is *not* sufficient. 2) Better yet: A button on the toolbar Copy clipboard Text is copied from host desktop clipboard to remote machine clipboard only when that button is pressed. 3) A combination of 1) and 2) Vendor response: The maintainer of the application has been informed via bugzilla, but has refused to acknowledge it as security problem. https://bugzilla.gnome.org/show_bug.cgi?id=668544 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 2012-01-24 13:34, Ben Bucksch wrote: Affected Products: GNOME Vinagre and many other VNC viewers Reproduction: 1. On your trusted desktop (e.g. Linux), open a text editor 2. Type My password, select the text, and hit Ctrl-C 3. Open a Vinagre VNC connection to a remote host, e.g. running an untrusted Windows 4. On the remote Windows host, open notepad.exe 5. In notepad's menu bar, using the mouse, click on Edit|Paste Actual result: notepad.exe shows My password Expected result: Nothing. Impact: Because I use a different password for every service, I have to copypaste them (on my trusted desktop). However, the remote machine is not trusted. In some cases, it's owned by a different company, in other cases I use VNC and a different machine specifically because I don't trust the software and want it jailed. If the untrusted host can get to my passwords from my trusted desktop, that's a critical security hole, because my passwords leak, and they may well give full access to other machines, my bank account or other highly sensitive data. Affected users: Using VNC is common usage pattern also used by government agencies handling highly sensible documents (on the trusted host desktop system) while moving dangerous but necessary uses like Internet access, Windows system and similar needs on physically different machines that are accessed via VNC. The purpose is that the untrusted system has no way to get to the information on the trusted desktop, but that assumption is violated here. Even normal users will be at risk. Many copypaste passwords, or they copypaste snipplets of sensitive Word processing documents, e.g. business plans. Solution: Given that most users are unaware of this risk, although the danger may nevertheless be very real for them, it is necessary for the default configuration to be secure. They cannot be expected to actively change preferences or the software to protect themselves, because the problem isn't obvious in the first place. Possible solutions: 1) a pref, with default off and a clear warning about this problem, because many users will not be aware of it. A pref with default on or without a clear warning is *not* sufficient. 2) Better yet: A button on the toolbar Copy clipboard Text is copied from host desktop clipboard to remote machine clipboard only when that button is pressed. 3) A combination of 1) and 2) Many viewers, including RealVNC have the option to disable the shared clipboard. Check your preferences. -- Message sent via my webmail account. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Tue, Jan 24, 2012 at 2:34 PM, Ben Bucksch n...@bucksch.org wrote: Actual result: notepad.exe shows My password Expected result: Nothing. No. Expected result is to have the clipboard text sent to the remote machine, if you have your client configured to do so. In a really security sensitive environment you wouldn't be using the clipboard for passwords anyway. Or you would disable clipboard sharing. Or you wouldn't use a cleartext protocol to begin with. You might as well report that if the user copies the password to the clipboard at any other point during the session it also gets sent to the server. I don't see why this should be the concern of the developers of any VNC client. -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Guys, could you please read carefully everything before you reply? I read carefully. It still didn't make sense, though. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? I don't know how you could get to such a conclusion from what I wrote. You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious and not a security hole that needs to be plugged. On top of that, the attack scenario doesn't sound too good either. I fail to see why would you need to copypaste a password to access an untrusted machine and then worry that machine might get to see the password to itself. Also,most VNC servers store the password in clear text in the configuration, and the entire protocol is in plain text, for crying out loud. A scenario where this could be a problem is so bizarre I sincerely can't blame the -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 24.01.2012 16:32, Giles Coochey wrote: Many viewers, including RealVNC have the option to disable the shared clipboard. Check your preferences. Indeed. But Vinagre doesn't. Even then, that is not sufficient, as explained in length. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 24.01.2012 18:07, Mario Vilas wrote: Expected result is to have the clipboard text sent to the remote machine, if you have your client configured to do so But I haven't done so. That's the bug. security sensitive environment you wouldn't be using the clipboard for passwords anyway. And you wouldn't be allowed to use copypaste while you edit sensitive documents either, I guess? Guys, could you please read carefully everything before you reply? Ben ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 24.01.2012 19:18, Mario Vilas wrote: You're reporting that if you copy and paste sensitive information and connect to a VNC session your clipboard data gets sent to the remote machine. That's pretty obvious If I have a VNC window somewhere on my desktop (in my case a virtual desktop or minimized), and continue with my work, 3 hours later when I work on some document or use some webapp, I don't remember that I have VNC session open and no, it's not obvious at all that this other host can read the communication between my local apps. On top of that, the attack scenario doesn't sound too good either. I fail to see why would you need to copypaste a password to access an untrusted machine and then worry that machine might get to see the password to itself. You misunderstood. The remote machine can see *any* clipboard entries, even if I do something entirely different in a completely different application. I am browsing or using SSH and paste my password there, because the FF password manager failed, or I'm in a word processor or email app and write some document, which is entirely unrelated to the VNC session. I haven't looked at the VNC host since hours (but I have it constantly open for tasks that I need to do with untrusted software in a jail). ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 24/01/2012 16:06, Ben Bucksch wrote: On 24.01.2012 16:32, Giles Coochey wrote: Many viewers, including RealVNC have the option to disable the shared clipboard. Check your preferences. Indeed. But Vinagre doesn't. Even then, that is not sufficient, as explained in length. I'm afraid as others have pointed out that by putting something in the Clipboard any local application can access that data, that's the point of the clipboard, to transfer the data between applications. Now your argument is that you use an application that passes that clipboard to a remote server. From the forum posts I have seen this is an often requested feature and not usually considered a bug. The bug is what you're using the clipboard for, as you could have phrased your post that the problem is that the clipboard uses a plain text storage mechanism which makes the clipboard unsuitable for secure storage. In any case, while not an option, there is a trivial patch to disable clipboard sharing in Vinagre: --- a/src/vncconnection.c +++ b/src/vncconnection.c @@ -1579,14 +1579,7 @@ gboolean vnc_connection_client_cut_text(VncConnection *conn, const void *data, size_t length) { - guint8 pad[3] = {0}; - - vnc_connection_buffered_write_u8(conn, 6); - vnc_connection_buffered_write(conn, pad, 3); - vnc_connection_buffered_write_u32(conn, length); - vnc_connection_buffered_write(conn, data, length); - vnc_connection_buffered_flush(conn); - return !vnc_connection_has_error(conn); + return TRUE; } smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 24.01.2012 20:08, Giles Coochey wrote: I have seen this is an often requested feature Yes, I understand. It can be highly useful. That's why I proposed to make a Paste button in the main toolbar (probably with a keyboard shortcut, too). So, the user would have to press one more button / key (3 actions instead of 2) to for the information to travel to the remote host. Compared to the risk, I think that's an acceptable tradeoff. Please tell me that you have never ever copied a password (or anything else highly sensitive) using the clipboard. I guess what makes my case and the government agency case different is that for you and others, VNC is typically the primary focus, but here on my machine it's running all the time, I have several test machines with untrusted software running and connected *always*. --- a/src/vncconnection.c +++ b/src/vncconnection.c Thanks for the patch! Giles +1 Ben ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 24/01/2012 19:20, Ben Bucksch wrote: On 24.01.2012 20:08, Giles Coochey wrote: I have seen this is an often requested feature Yes, I understand. It can be highly useful. That's why I proposed to make a Paste button in the main toolbar (probably with a keyboard shortcut, too). So, the user would have to press one more button / key (3 actions instead of 2) to for the information to travel to the remote host. Compared to the risk, I think that's an acceptable tradeoff. Please tell me that you have never ever copied a password (or anything else highly sensitive) using the clipboard. I have done this, and I have understood the risks. I guess what makes my case and the government agency case different is that for you and others, VNC is typically the primary focus, but here on my machine it's running all the time, I have several test machines with untrusted software running and connected *always*. In my personal experience there was a case (a CDE - credit card data environment) where clipboard segregation between remote and local systems was a requirement. It was in this case that Citrix was chosen over other compteting 'remote-application' products because of a feature it had to disable the seamless clipboard functionality. I think it is the case on whether this is a security issue depends on whether the VNC viewer in question is a fit tool for what you're using it for. Otherwise others may say it's a feature and not a bug, or at least your bug is my feature. I would see if you could ask them to have it as an optional feature though. I would confirm that patch functions first - I found it in a thread regarding errors connecting to Mac OS X servers, and from the patch information, it may only stop the clipboard from server to client and not vice versa, but having seen it, I would imagine that you can find all the clipboard functions in the source and pretty much comment out their code. smime.p7s Description: S/MIME Cryptographic Signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Ben Bucksch wrote: Even then, that is not sufficient, as explained in length. No -- what you explained in length _and_ seem impervious to understanding, despite a couple of respondents explaining it quite clearly, is that you have chosen to perform ongoing sensitive work in an environment where doing so is, at best, represents a highly questionable security stance. _Part_ of what contributes to that questionability is your choice to more-or-less continuously run an application that you should always have known leaks access to the clipboard of what you oddly choose to describe as a trusted desktop (odd, because you should know that exposing the host clipboard to the client is common -- in fact, probably the standard default -- functionality of VNC clients). That your chosen/preferred/whatever VNC client does not allow you to turn off, or otherwise modify or monitor this functionality is not a security vulnerability or bug, as you seem intent on portraying it. It may be an undesirable feature (or, more accurately, lack of a feature) but don't you have other VNC clients to choose from? Must you use this particular VNC client? If so and this method of working is so critical to you, should you not choose a different platform for your trusted desktop and run a more suitably configurable VNC client? Or, if your sensitive work is really that sensitive, should you not invest in a second machine for remotely monitoring/interacting with the the untrusted, sandboxed applications you need to run, so that they really are securely separated (can we all say air gap?) from your more sensitive operations? It would not have to be a very heavy-duty machine -- a very low-end netbook style machine, or possibly even a cheap tablet-style device may more than suffice... ... Another part of that questionability is obvious to anyone with nous reading this list... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
Those who try to manage potentially malicious servers do so over IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. Anything more is untrusted, for a reason. On Tue, Jan 24, 2012 at 5:50 PM, Nick FitzGerald n...@virus-l.demon.co.ukwrote: Ben Bucksch wrote: Even then, that is not sufficient, as explained in length. No -- what you explained in length _and_ seem impervious to understanding, despite a couple of respondents explaining it quite clearly, is that you have chosen to perform ongoing sensitive work in an environment where doing so is, at best, represents a highly questionable security stance. _Part_ of what contributes to that questionability is your choice to more-or-less continuously run an application that you should always have known leaks access to the clipboard of what you oddly choose to describe as a trusted desktop (odd, because you should know that exposing the host clipboard to the client is common -- in fact, probably the standard default -- functionality of VNC clients). That your chosen/preferred/whatever VNC client does not allow you to turn off, or otherwise modify or monitor this functionality is not a security vulnerability or bug, as you seem intent on portraying it. It may be an undesirable feature (or, more accurately, lack of a feature) but don't you have other VNC clients to choose from? Must you use this particular VNC client? If so and this method of working is so critical to you, should you not choose a different platform for your trusted desktop and run a more suitably configurable VNC client? Or, if your sensitive work is really that sensitive, should you not invest in a second machine for remotely monitoring/interacting with the the untrusted, sandboxed applications you need to run, so that they really are securely separated (can we all say air gap?) from your more sensitive operations? It would not have to be a very heavy-duty machine -- a very low-end netbook style machine, or possibly even a cheap tablet-style device may more than suffice... ... Another part of that questionability is obvious to anyone with nous reading this list... Regards, Nick FitzGerald ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 25.01.2012 00:09, Dan Kaminsky wrote: IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. And please don't turn this into you're stupid, because I've seen others with the same setup. As mentioned, I know of a government agency with highly competent IT staff who had a similar setup: normal and sensitive work is on the desktop/notebook and Internet access (which is considered insecure) is on a remote machine, with a viewer on the desktop. To make it clear: I take offense in the copying being *automatic*. I have nothing against the clipboard feature, per se. But if something happens automatically, how am I supposed to know that it happens? The user should make a conscious choice. That thinking would also help him realize the risk. Secure by default. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Wed, Jan 25, 2012 at 12:47:28AM +0100, Ben Bucksch wrote: On 25.01.2012 00:09, Dan Kaminsky wrote: IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. What the hell? Seriously.. http://en.wikipedia.org/wiki/VNC - Henri ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Tue, Jan 24, 2012 at 3:47 PM, Ben Bucksch n...@bucksch.org wrote: ... That is *precisely* what VNC is: an open-source IP KVM. *precisely* ?? you keep using that word. i do not think it means what you think it means... this thread is full of lulz; you newbs might want to check out http://wiki.qubes-os.org/trac/wiki/CopyPaste ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On 25.01.2012 00:52, Henri Salo wrote: On Wed, Jan 25, 2012 at 12:47:28AM +0100, Ben Bucksch wrote: On 25.01.2012 00:09, Dan Kaminsky wrote: IP KVM, in which the foreign server basically gets only inbound Keyboard and Mouse and outbound uncompressed pixels. That is *precisely* what VNC is: an open-source IP KVM. What the hell? Seriously.. http://en.wikipedia.org/wiki/VNC hihi. Thanks. It transmits the keyboard and mouse events from one computer to another, relaying the graphical screen updates back in the other direction, over a network. The VNC protocol (RFB) is very simple, based on one graphic primitive from server to client ('Put a rectangle of pixel data at the specified X,Y position') and event messages from client to server. Compare to above. Now, the part where it defines that clipboard is also a standard part of VNC... oh, huch, it's not there! (Just a random note that Unicode is impossible, but not that clipboard is defined as part of the protocol at all.) Ah, I know... Surely, it must be on http://en.wikipedia.org/wiki/RFB_protocol... No, same thing there. Strange. So much for the lulz... Ben P.S. I was just reporting bug. I hope at least some software finds a better solution. Have fun. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Tue, Jan 24, 2012 at 6:45 PM, Ben Bucksch n...@bucksch.org wrote: ... The VNC protocol (RFB) is very simple, based on one graphic primitive from server to client ('Put a rectangle of pixel data at the specified X,Y position') and event messages from client to server. what Dan was trying to point out to you was the vast difference in attack surface between an IP KVM and the VNC protocol and architecture. IP KVM: keyboard, video, mouse interface to physical ports. dumb dumb dumb. VNC: not so simple full of bugs year after year privileged service running on host hooking into various OS facilities and exposing all sorts of vulnerabilities between server and client. sma^H^H^H^H stupid stupid stupid (from a security perspective) if you believe these present *precisely* the same risk profile, well... can i have some of what you're smoking? On Tue, Jan 24, 2012 at 6:34 PM, Ben Bucksch n...@bucksch.org wrote: On 25.01.2012 02:05, coderman wrote: you keep using that word. i do not think it means what you think it means... Where else did I use that word? And what does it mean, in your understanding, that differs from my usage? I checked the dict and it seems fine. let me spell it out: your precise equivalency between a KVM device and a VNC service is neither accurate nor correct. http://www.youtube.com/watch?v=OHVjs4aobqs ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] VNC viewers: Clipboard of host automatically sent to remote machine
On Tue, 24 Jan 2012 21:31:46 PST, coderman said: IP KVM: keyboard, video, mouse interface to physical ports. dumb dumb dumb. Amen to that, brother. Not even pixel-level access here. It's all VGA analog video signal re-digitized and sent over IP (yes, really). And you *really* don't want to know how modesetting a multisync monitor at the other end of an IP-KVM works. The details have been known to make grown men cry. ;) pgpTARz05Tlbs.pgp Description: PGP signature ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/