Home

Results 1 to 2 of 2

Thread: Please test to see if this is a real vulnerability

Hybrid View

  1. #1
    Chris.Murzda@nospam.com NNTP User

    Please test to see if this is a real vulnerability

    Is this really anything to be concerned about. This was forwarded to me
    from one of our security people.

    Type of Risk: Information Leakage, Information Injection, Unauthorized
    Access.


    Affected Software: Novell Client for Windows, versions 4.9 and 4.8 (On
    windows XP Pro and Windows 2000 Workstation).
    This versions are the only one tested, thus other version may be
    vulnerable
    as well.


    Local / Remote activation: Local.


    Summary:

    1. Anyone with access to the computer's local operating system console,
    one using the Novell client login screen (when the console is locked),
    can view a textual content of the clipboard of the locally logged in
    user, by performing a paste command into the "user name" field of the
    login form.

    2. Anyone with access to the computer's local operating system console,
    one using the Novell client login screen (when the console is locked), can
    inject its own textual content into the clipboard of the currently logged-
    in user by adding, temporally, a text string into the "user name" field
    of the login form, and then copy it into the clipboard.
    This can also be done if no user is yet logged-in to the computer (after
    booting the computer or after a user logged off).
    The text will remain in the clipboard after a user logged in, and if the
    user will perform a paste command the content will be injected into the
    user's console session.

    Summary Notes:
    1. One must remember that access to the console may be achieved not only
    by a local presence of the attacker but also via a remote control
    application, if one is installed on the computer.

    2. I assume non-textual content is accessible as well, but due to the
    nature of the relevant field in the login form only textual content can
    be pasted into it.

    Possible Abuses:
    1. A local attacker can read the last textual information added to the
    clipboard by the logged in user, without a need to authenticate.
    2. A local attacker can damage the logged in user's data if a careless
    user will paste the attacker's text into any application, and the user
    will notreview it before using it.
    3. A local attacker can damage the logged in user's operating system or
    applications if a careless user will paste the attacker's text as a
    command, and the user will not review it before executing it.

    Reproduction:
    1. Clipboard read:
    a. Log in to the operating system.
    b. Open any text editor (or any textual field in the operating system or
    application), and write a unique text.
    c. Copy the text you just wrote (select it and press ctrl+c).
    d. Lock the console by pressing ctrl+alt+del and clicking on the "lock
    computer" button.
    e. Press ctrl+alt+del to open the Novell login form.
    f. Click in the "user name" field and if there is a text inside, delete it
    or select all of it.
    g. Press ctrl+v, and the text you copied before will appear in "user name"
    field.

    1. Clipboard write:
    a. Log in to the operating system.
    b. Lock the console by pressing ctrl+alt+del and clicking on the "lock
    computer" button.
    c. Press ctrl+alt+del to open the Novell login form.
    d. Click in the "user name" field and if there is a text inside, delete it
    or select all of it.
    e. Write a unique text.
    f. Copy the text you just wrote (select it and press ctrl+c).
    g. Delete this unique text.
    h. Perform a regular log in to the operating system.
    i. Open any text editor (or any textual field in the operating system or
    application), and press ctrl+v, and the text you copied before will
    appear.

    Steps "a" and "b" can be replaced by booting or restarting the operating
    system and once the graphical interface has been displayed, proceed to
    step c.

  2. #2
    Justin Grote [SysOp] NNTP User

    Re: Please test to see if this is a real vulnerability

    Chris.Murzda@nospam.com wrote:
    > Is this really anything to be concerned about. This was forwarded to me
    > from one of our security people.


    Not unless your users are in the habit of cutting and pasting passwords,
    I wouldn't worry about it. This is only a problem if someone put
    something in the clipboard that was sensitive before logging out.
    However, it requires local access to the machine, and there are *way*
    bigger concerns if someone can get local access to a machine. Booting
    off a CD and accessing the entire hard drive, for instance, or just
    booting into safe mode to bypass novell login to access local files.

    --
    Justin Grote
    Novell Support Connection Sysop
    Network Architect
    JWG Networks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •