Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: Internet Storm Center Internet Storm Center

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Latest Diaries

Show me Your Clipboard Data!

Published: 2020-02-28
Last Updated: 2020-02-28 06:11:31 UTC
by Xavier Mertens (Version: 1)
0 comment(s)

Yesterday I've read an article[1] about the clipboard on iPhones and how it can disclose sensitive information about the device owner. At the end of the article, the author gave a reference to an iPhone app[2] that discloses the metadata of pictures copied to the clipboard (like the GPS coordinates).

This is true, our clipboards may contain sensitive information like… passwords, private URLs, confidential text, and man more! About passwords, many password managers use the clipboard to make the user’s life easier. You just need to paste data exported by the password manager in the password field. Some of them implement a technique to restore the content of the clipboard with previous data. This is very convenient but it is NOT a security feature. Once data has been copied into the clipboard, it can be considered as “lost” if other applications are monitoring its content.

Note that some Password managers are more "mature" and offer a browser add-on that communicates directly with the main application and bypass the clipboard.

This gave me the idea: let’s write a few lines of PowerShell to monitor the content of the clipboard on a Windows 10 host. Here is the very simple code based on Get-Clipboard[3]:

$data = Get-Clipboard;
while($true)
{
    $updated = $false;
    $olddata = $data;
    $data = Get-Clipboard;
    if ($olddata -ne $data) {
        $updated = $true;
    }

    if ($updated) {
        Write-Host “New clippboard data detected: $data”
    }
    Start-Sleep -Milliseconds 100;
} 

It just grabs the content of the clipboard every 0.1 seconds and, if changed, displays the content (note that I’m just handling basic text, binary content is ignored).

Let’s run it and continue to work as usual. We see the history of all data copied into the clipboard:

New clippboard data detected: clipboard
New clippboard data detected: 563068
New clippboard data detected: 177888
New clippboard data detected: https://blog.rootshell.be/2020/02/27/sans-isc-offensive-tools-are-for-blue-teams-too/
New clippboard data detected: lwi0b!nui8hAMTlG
New clippboard data detected: 'list' object has no attribute 'keys'
New clippboard data detected: https://www.youtube.com

You can guess that we have some 2FA tokens, passwords, error messages (that are usually pasted to Google, etc).

My Windows host is virtualised and, for more ease of use, the VM is not isolated:

This means that I can copy/paste between the host and the VM. Let’s test from a shell on the host:

xavier : ~ $ whoami|pbcopy
xavier : ~ $ pbpaste
uid=501(xavier) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)

(pbcopy/pbpaste are MacOS commands to read/write the clipboard, very convenient :-)

And immediately, on my Windows VM, my scripts reacts:

New clippboard data detected: uid=501(xavier) gid=20(staff) groups=20(staff),12(everyone),61(localaccounts),79(_appserverusr),80(admin),81(_appserveradm),98(_lpadmin),399(com.apple.access_ssh),701(com.apple.sharepoint.group.1),33(_appstore),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),400(com.apple.access_remote_ae)  

Even more interesting: I’m an Apple fan and I’ve the complete range of Apple devices, all of them are perfectly integrated…. The clipboard too! (Via iCloud). Let’s test again:

And, once data copied into the iPhone clipboard, I see in the VM host:

New clipboard data detected: Test from iPhone

By design, the clipboard is available to all processes running on the system. This mean also all potential malicious applications and malware. They don't require any special privileges to access the clipboard. Keep this in mind!

[1] https://www.securitynewspaper.com/2020/02/26/are-you-an-iphone-user-dont-copy-paste-your-card-number-or-passwords-other-apps-can-steal-your-data-from-the-clipboard/
[2] https://www.youtube.com/watch?v=tegfZNv8SBc
[3] https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.management/get-clipboard?view=powershell-7

Xavier Mertens (@xme)
Senior ISC Handler - Freelance Cyber Security Consultant
PGP Key

0 comment(s)

If you have more information or corrections regarding our diary, please share.

Recent Diaries

Offensive Tools Are For Blue Teams Too
Feb 27th 2020
1 day ago by Xme (0 comments)

Quick look at a couple of current online scam campaigns
Feb 25th 2020
3 days ago by Jan (0 comments)

Maldoc: Excel 4 Macros and VBA, Devil and Angel?
Feb 24th 2020
3 days ago by DidierStevens (0 comments)

Maldoc: Excel 4 Macros in OOXML Format
Feb 24th 2020
3 days ago by DidierStevens (0 comments)

Simple but Efficient VBScript Obfuscation
Feb 22nd 2020
5 days ago by Xme (0 comments)

Quick Analysis of an Encrypted Compound Document Format
Feb 21st 2020
1 week ago by Xme (0 comments)

View All Diaries →

Latest Discussions

Setting up a security champions network.
created Feb 24th 2020
3 days ago by Anonymous (0 replies)

Wireshark - To analyze "TCP sequence numbers" or not to analyze.
created Feb 15th 2020
1 week ago by Anonymous (0 replies)

TikTok app possibly using DNS over HTTPS directly
created Feb 15th 2020
1 week ago by jauntysankey (0 replies)

Zip password recovery
created Jan 17th 2020
1 month ago by Anonymous (0 replies)

Strange Google-ish domain name lookups after update to Android 10
created Dec 21st 2019
2 months ago by jauntysankey (0 replies)

View All Forums →

Latest News

Top Diaries

An infection from Rig exploit kit
Jun 17th 2019
8 months ago by Brad (0 comments)

Malspam with password-protected Word docs pushing Dridex
Jun 18th 2019
8 months ago by Brad (0 comments)

Wide-scale Petya variant ransomware attack noted
Jun 27th 2017
2 years ago by Brad (0 comments)

Using a Raspberry Pi honeypot to contribute data to DShield/ISC
Aug 3rd 2017
2 years ago by Johannes (0 comments)

Second Google Chrome Extension Banker Malware in Two Weeks
Aug 29th 2017
2 years ago by Renato (0 comments)