IE Clipboard Stealing Vulnerability

[Tom Gilder <tom () vpwsys co uk>]

=====================================
 IE CLIPBOARD STEALING VULNERABILITY
 A security bulletin by Tom Gilder
 12th January 2002
=====================================

More information available at http://tom.vpwsys.co.uk/clipboard/
Numbers indicate a link, see bottom of message.

PROBLEM
Since Microsoft Internet Explorer ("IE") version 5.0, there has been a
way to read and set the users clipboard text from script, by default,
and with no prompting. This can be handy for web-based applications to
do so, but can be used in a malicious way to steal the clipboard
contents.

EXPLOIT
It is easily possible to monitor the contents of the clipboard, and
send it to a remote server-side script for processing. The remote
script could then save the clipboard text in a database, or e-mail it
to the evil overlord script creator. By itself this doesn't cause much
harm, but users can often copy sensitive information to the clipboard
- e-mails, addresses, passwords, pictures - just about anything, which
could then fall into the wrong hands.

The problem lies in the clipboardData object[1], and the getData
method[2]. By simply using a setInterval[3], a script can check for a
change in the contents of the clipboard, and forward it either using a
hidden form, or the XMLHTTP[4] ActiveX object.

You can view a sample exploit on my site at
http://tom.vpwsys.co.uk/clipboard/exploit.html (IE5.0+, with default
security rules). This does no harm to your computer, and does not send
any information to me. More information about Data Transfer can be
found in the MSDN article, About DHTML Data Transfer[5].

In the most evil of situations, this could be used for an almost
unclosable clipboard monitor (see the 2nd example[6]). It could be
launched from a HTML e-mail within Outlook or Outlook Express (if the
security zone is set to "internet", and the internet zone settings are
set to default - basically the default settings of pre-OE6), and maybe
be used in conjunction with an e-mail worm to send itself on.

USER SOLUTION
Microsoft in their great wisdom put in some a setting for script
clipboard access. You can edit this via Tools > Internet Options >
Security > Select a security zone > Custom Level > Scripting > Allow
paste operations via script (phew!). You can set this to Enable (the
default for the internet zone), Disable (default for restricted sites)
or Prompt. Personally I recommend you set it to prompt - scripts can
still have clipboard access, but only when you say so.

VENDOR SOLUTION
I suggest MS make the Internet Zone default setting to prompt, and
improve the prompt dialog to show the clipboard contents (if it is
textual) to the user. They could also add a "always allow this site to
access the clipboard" checkbox.

Microsoft will probably say something like "it's up to the user to set
their security settings as they see fit". However I believe the
majority of IE users will never change anything in their security
settings. They are simply too complex, and buried in the options
dialog.

VENDOR STATUS
Microsoft are fully aware of this issue. They invented the feature.
They decided to setup the default security rules as they are. And
they should be larted for doing so.


This bulletin was sent to the Bugtraq mailing list on 12 January 2002.

Security bulletin and exploit code Copyright © Tom Gilder 2002.

More information and a HTML version of this bulletin is available at
http://tom.vpwsys.co.uk/clipboard/

Handy links:
[1] clipboardData object - http://msdn.microsoft.com/workshop/author/dhtml/reference/objects/clipboarddata.asp
[2] getData method - http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/getdata.asp
[3] setInterval method - http://msdn.microsoft.com/workshop/author/dhtml/reference/methods/setinterval.asp
[4] XMLHTTP object - http://msdn.microsoft.com/library/en-us/xmlsdk/htm/xml_obj_ixmlhttprequest_8bp0.asp
[5] About DHTML Data Transfer - http://msdn.microsoft.com/workshop/author/datatransfer/overview.asp
[6] Exploit examples - http://tom.vpwsys.co.uk/clipboard/exploit.html