Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:12771
HistoryMay 23, 2006 - 12:00 a.m.

Novell Client login form enables reading and writing from and to the clipboard of the logged-in user

2006-05-2300:00:00
vulners.com
26
JSON

Suggested Risk Level: Low.

Type of Risk: Information Leakage, Information Injection, Unauthorized
Access.

Affected Software: Novell Client for Windows, versions 4.9 and 4.8 (On
windows XP Pro and Windows 2000 Workstation).
This versions are the only one tested, thus other version may be vulnerable
as well.

Local / Remote activation: Local.

Summary:

  1. Anyone with access to the computer's local operating system console, one
    using the Novell client login screen (when the console is locked), can view
    a textual content of the clipboard of the locally logged in user, by
    performing a paste command into the "user name" field of the login form.

  2. Anyone with access to the computer's local operating system console, one
    using the Novell client login screen (when the console is locked), can
    inject its own textual content into the clipboard of the currently logged-in
    user by adding, temporally, a text string into the "user name" field of the
    login form, and then copy it into the clipboard.
    This can also be done if no user is yet logged-in to the computer (after
    booting the computer or after a user logged off).
    The text will remain in the clipboard after a user logged in, and if the
    user will perform a paste command – the content will be injected into the
    user's console session.

Summary Notes:

  1. One must remember that access to the console may be achieved not only by
    a local presence of the attacker but also via a remote control application,
    if one is installed on the computer.
  2. I assume non-textual content is accessible as well, but due to the nature
    of the relevant field in the login form – only textual content can be pasted
    into it.

Possible Abuses:

  1. A local attacker can read the last textual information added to the
    clipboard by the logged in user, without a need to authenticate.

A. A local attacker can damage the logged in user's data if a careless user
will paste the attacker's text into any application, and the user will not
review it before using it.
B. A local attacker can damage the logged in user's operating system or
applications if a careless user will paste the attacker's text as a command,
and the user will not review it before executing it.

Reproduction:

  1. Clipboard read:
    a. Log in to the operating system.
    b. Open any text editor (or any textual field in the operating system or
    application), and write a unique text.
    c. Copy the text you just wrote (select it and press ctrl+c).
    d. Lock the console by pressing ctrl+alt+del and clicking on the "lock
    computer" button.
    e. Press ctrl+alt+del to open the Novell login form.
    f. Click in the "user name" field and if there is a text inside, delete it
    or select all of it.
    g. Press ctrl+v, and the text you copied before will appear in "user name"
    field.

  2. Clipboard write:
    a. Log in to the operating system.
    b. Lock the console by pressing ctrl+alt+del and clicking on the "lock
    computer" button.
    c. Press ctrl+alt+del to open the Novell login form.
    d. Click in the "user name" field and if there is a text inside, delete it
    or select all of it.
    e. Write a unique text.
    f. Copy the text you just wrote (select it and press ctrl+c).
    g. Delete this unique text.
    h. Perform a regular log in to the operating system.
    i. Open any text editor (or any textual field in the operating system or
    application), and press ctrl+v, and the text you copied before will appear.

Steps "a" and "b" can be replaced by booting or restarting the operating
system and once the graphical interface has been displayed, proceed to step
c.

Exploit Code: No need.

Direct resolution: None at the time this advisory was published.

Workarounds:
WARNING: The following listed applications are not made by me and I have no
knowledge if they will perform as expected and if they will not damage your
hardware and/or software. Using this applications is totally at your own
risk and responsibility.
I only mention this applications in this advisory as possible workarounds to
overcome the vulnerability mentioned in this advisory.

Following are some freeware applications intended to clear the clipboard.
Some of the applications can be activated manually (before locking or
leaving the desktop) and/or some of the applications can be initiated via a
command line, which makes them suitable to be scheduled by the windows tasks
scheduler to run every X minutes/hours or run while the operating system is
idle.

AutoClipClear
http://www.geocities.com/visualfantasy_studio/acc.htm
It has no interface nor settings to adjust. Can be run in via a command
line.

NirCmd
http://www.nirsoft.net/utils/nircmd.html
It has only textual interface but many extra functions (one of them is
locking the console, so one can make a batch file to clear the clipboard and
then lock the console). Can be run in via a command line.

ClipClear
http://www.moonsoftware.com/freeware.asp#clipclear
It has a task bar icon and clicking it clears the clipboard. I guess it will
not be suitable to run as a scheduled task since activating it only makes it
available at the task bar. It has no startup switches.

I tried to find a scheduler that can run an application at the event when
the workstation is being locked, but found only this two:

  1. Funny, but someone asked just that at Novell's site and he was answered
    that this can be done with NALRUN32 and NALRUNW from Novell's "Workstation
    Manager" ("ZEN 2 Application Management Tool Kit"), but without a proper
    example.
    http://www.novell.com/coolsolutions/qna/4332.html
    http://www.novell.com/coolsolutions/zenworks/features/a_zen2_toolkit_zw.html
    #nalrun
  2. The task scheduler of windows vista will be able to do this (when windows
    vista will be officially released…).
    http://www.microsoft.com/technet/windowsvista/mgmntops/taskschd.mspx

Vendor Notification: Novell was notified of this issue more than two months
ago.
Due to my feeling that the company was not acting to solve this issue, I
notified them after one month, that I will wait another month, and if at
that time the company will not publish an advisory and/or a patch – I will
publish my own advisory.
Since the company did not publicly acted regarding this vulnerability within
this time frame, which I think is reasonable – this advisory is now
published.
Novell's lack of action may be due to the low risk nature of this
vulnerability.

Credit:
Eitan Caspi
Israel
Email: [email protected]

Past security advisories:

http://online.securityfocus.com/bid/4053
http://www.microsoft.com/technet/security/bulletin/MS02-003.mspx
http://support.microsoft.com/default.aspx?scid=KB;en-us;315085&

http://online.securityfocus.com/bid/5972
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329350

http://online.securityfocus.com/bid/6280
http://www.securityfocus.com/archive/1/301624

http://online.securityfocus.com/bid/6736
http://online.securityfocus.com/archive/1/309442

http://www.securityfocus.com/bid/7046
http://www.securityfocus.com/archive/1/314361

http://www.securityfocus.com/archive/1/393800
http://service1.symantec.com/SUPPORT/ent-security.nsf/3d2a1f71c5a00334852568
0f006426be/c937e09a6ad4e20688256a22002724bb?OpenDocument

Articles:
You can find some articles I have written at
http://www.themarker.com/eng/archive/one.jhtml
(filter: Author = Eitan Caspi (second name set), From year = 2000 , Until
year = 2002)

Eitan Caspi
Israel

Professional Blog (Hebrew): http://www.notes.co.il/eitan
Personal Blog (Hebrew): http://blog.tapuz.co.il/eitancaspi
Blog (English): http://eitancaspi.blogspot.com

"Technology is like sex. No Hands On - No Fun." (Eitan Caspi)

JSON