Re: Windows Clipboard Exploit

From: Michel Gallant (MVP) (neutron@istar.ca)
Date: 12/23/02


Date: Mon, 23 Dec 2002 08:57:16 -0500
From: "Michel Gallant (MVP)" <neutron@istar.ca>


Robert,
Some settings might help, but with a fully patched Win2000 sp3, and "default configured" IE,
this apparent vulnerability is there (confirmed).
We can't expect users to have to do special configurations. We already know that
recently patched OE6 will prevent this, since embedded scripting within email
is disabled (Restricted Sites zone) by default.

Obviously, there is nothing wrong with being able to use the system clipboard
to paste its contents into any form element in a web page. However, this
should ONLY be allowed  **under user-directed control**.
A script being able to programatically (and transparently) read your clipboard is
definitely dangerous.

Consider this:
 - user visits a malicious web page unwittingly (or deliberately) with IE 5.0+
 - script in page reads system clipboard, pastes clipboard into some form text-element, reads it
    again into a HIDDEN form element, erases the visible text-element.
 - invites the user to SUBMIT the contents (or may be able to submit automatically to same site)
 - the user will NOT know that they are submitting hidden form element with their (supposedly
    private) clipboard contents.

 - say the user has PREVIOUSLY been doing an e-banking session, and had naively copied his/her
    pin #, for convenience, to clipboard ....  there you have it!

So what is Microsoft's take on this one?  please respond;  are we exaggerating the importance of
this?  should the scripting capability of document.execCommand be limited?

 - Michel Gallant
   MVP Security
   JavaScience Consulting
   http://pages.istar.ca/~neutron
 
 

Robert Moir wrote:

 Ok but its something that can be controlled by browser settings, right?
"Michel Gallant (MVP)" <neutron@istar.ca> wrote in message news:3E0657EB.FAA93D1E@istar.ca...if the clipboard contents can be pasted into a form element, than the page script
has the contents therein, and can subsequently POST it to that site automatically.
So this is an issue.
 - Mitch
 

Robert Moir wrote:

Can data actually be uploaded from that exploit demo to a web server? As it stands its just a very simple copy and paste of stuff between two local text windows via the clip board and no more an exploit than those things that list the c:\ drive in an iframe.
"Michel Gallant (MVP)" <neutron@istar.ca> wrote in message news:3E063811.CD859920@istar.ca...Clearly a HUGE and very easily exercised vulnerability!
Seems clear that the IE document.execCommand() should be
patched asap on this one.
Most people would be under the impression that local
clipboard access is a privileged action, which it obviously
is not for IE/script.
As usual, surf to random sites and you will sooner (rather than
later) be dinged by some sort of vulnerability.
But with the rising number of e-banking/shopping, this IS
a big one.

 - Michel Gallant
   MVP Security
   JavaScience Consulting
   http://pages.istar.ca/~neutron
 

Toby wrote:

WOW ...

http://www.ntfs.org/index.php?action=news&catid=1#news2317

That is nuts, i wont be copying and pasting passwords
anymore !

Websites can actually harvest your clipboard contents

Thanks for the heads up

I will put this in XP securty also before people start
getting hit

>-----Original Message-----
>http://www.ntfs.org/index.php?
action=news&catid=1#news2317
>
>--
>
>_____________________________
>Dr Reinhard W Rasche
>
>
>.
>



Relevant Pages

  • Re: Clipboard
    ... CLIP v2.2 - Store a text file in the Windows clipboard ... Set oAutoIt = CreateObject ... JSSys3.dll (System info. and operations component) ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
    (microsoft.public.scripting.vbscript)
  • Re: clipboard default value
    ... > Useful if the first job of the day is to search the web for the same key ... CLIP v2.2 - Store a text file in the Windows clipboard ... Just be aware that depending on your Internet Explorer security ... -- torgeir, Microsoft MVP Scripting and WMI, Porsgrunn Norway Administration scripting examples and an ONLINE version of the 1328 page Scripting Guide: ...
    (microsoft.public.windowsxp.general)
  • Re: Screencapture with VBS?
    ... WSH's SendKeys method with PrtScn doesn't put anything on the ... clipboard, so you will need a 3rd party component for this, ... A VBScript example that captures the full screen and saves ... Microsoft MVP Scripting and WMI, ...
    (microsoft.public.scripting.vbscript)
  • Re: Browser Information
    ... how do I block my clipboard ... To avoid an Internet Explorer security risk that allows a visited web site ... Tools - Options - Internet Zone - Custom Level; set security zone ... to Medium; scroll down to Scripting section; disable "Allow paste ...
    (comp.security.firewalls)
  • Re: Windows Clipboard Exploit
    ... Ok but its something that can be controlled by browser settings, ... if the clipboard contents can be pasted into a form element, than the page script ...
    (microsoft.public.security)