Date: Mon, 22 Feb 1999 23:39:07 +0100 From: Juan Carlos Garcia Cuartango To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: New IE4 vulnerability : the clipboard again. Greetings, I have discovered another IE 4 clipboard vulnerability. The clipboard content can be made public by a very simple javascript code. I reported the problem to Microsoft on Feb 10. They confirmed the problem. It seems that they were already aware of the problem and It will be fixed in the next IE 4 service pack. The problem is located in the Internet WebBrowser ActiveX object. Regards, Juan Carlos More info and a demo is available at : http://pages.whowhere.com/computers/cuartangojc Regards, Juan Carlos The Clipboard vulnerability demo http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html ---------- According with Microsoft security rules access to Windows clipboard content is forbidden to Internet Explorer scripts unless the clipboard content was owned by the Explorer itself. If an script performs a paste operation over an input text box the operation will succeed only if data were copied to the clipboard from the Internet Explorer. There is a way to circumvent this protection by using a Microsoft Web Browser ActiveX control this object can perform a paste operation without security restrictions. The clipboard data can then be transferred to a form input box and posted to a malicious WEB. The box below is a Input Text Area Box your clipboard text data must be here, if not then do a copy (from any application) and then reload this page.

The box below is a Microsoft Web Browser ActiveX control. --------------------------------------------------------------------------- Date: Wed, 24 Feb 1999 11:21:03 -0500 From: Russ To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM Subject: Re: New IE4 vulnerability : the clipboard again. Marc Berajano said... >i, like mnemonix, got the access denied error when IE used the >http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html URL, but >i don't get that error using the >http://pages.whowhere.com/computers/cuartangojc/cb.html URL as your >web page says. however, even when i do use the correct URL, my >clipboard contents are not shown. i'm using the public beta 2 of IE 5 >(5.00.0910.1309) on NT4 SP4. and I would add that my clipboard contents DO SHOW using; NT 4.0 SP1 IE 4.0 version 4.72.3110.8 128-bit SP1, 2735, 2922; So it seems that the URL makes a big difference to demonstrating Juan Carlos' vulnerability. Use http://pages.whowhere.com/computers/cuartangojc/cb.html to test yourself. Cheers, Russ - NTBugtraq moderator