copy-paste design problem?

514 views
Skip to first unread message

Zrubecz Laszlo

unread,
May 2, 2013, 10:34:45 AM5/2/13
to qubes...@googlegroups.com
Hi,

I just have a scary issue about how copy-paste is working between domains.

Actually I was try to paste a VM log from dom0:
Qubes Manager -> right click on a VM -> Logs -> Copy to Qubes clipboard

Then I wanted to paste it into a file opened by vim running inside an
AppVM while I got two problems:

* the logs are contains ESC sequences (as I see because of the console
message colouring) --> vim editing session ends, command session
starts --> who knows what happens then :o (depends on the 'logs')

While you can said: Don't copy any shit to a trusted VM. But those
are 'just' logs, and there are a designatet button to do it...

* If the actual log was big enough the paste is coming in waves...
This is causig the 2. problem:
If I just quit from vim to prevent causing any damage, I'm dropped to
a shell, but the paste waves are still coming!!! now into a terminal
session instead of vim :O Which is really scarry and dagerous.

Really don't know how should we fix this, but this easily can cause
user data loss...



--
Zrubi

Marek Marczykowski

unread,
May 2, 2013, 10:48:51 AM5/2/13
to qubes...@googlegroups.com, Zrubecz Laszlo
This is rather issue how you paste the logs. You actually don't "paste into
vim", but "paste into terminal", which have such problems. To have real paste
in vim, you need X11-enabled version (vim-X11 package in Fedora, then use
"vimx" instead of "vim"), X11 clipboard will be in "*" register, so paste with:
"*p

Of course you can also use any other editor, which support X11 clipboard, like
gedit (and almost any graphical editor).

--
Best Regards / Pozdrawiam,
Marek Marczykowski
Invisible Things Lab

signature.asc

Zrubecz Laszlo

unread,
May 2, 2013, 11:02:13 AM5/2/13
to qubes...@googlegroups.com
On 2 May 2013 16:48, Marek Marczykowski <marm...@invisiblethingslab.com> wrote:
> This is rather issue how you paste the logs. You actually don't "paste into
> vim", but "paste into terminal", which have such problems. To have real paste
> in vim, you need X11-enabled version (vim-X11 package in Fedora, then use
> "vimx" instead of "vim"), X11 clipboard will be in "*" register, so paste with:
> "*p
>
> Of course you can also use any other editor, which support X11 clipboard, like
> gedit (and almost any graphical editor).
>

Thanks, got it.


--
Zrubi

David Schissler

unread,
May 3, 2013, 12:04:08 AM5/3/13
to qubes...@googlegroups.com, Zrubecz Laszlo
This reminded me about the security problem of copying and pasting directly from a browser into the terminal.  By using hidden div trickery it is very easy to insert a whole bunch of text that was never visible from on the screen.  It would be very useful if Qubes had a way to quickly view the clipboard in a way that could fit into normal workflow.

Joanna Rutkowska

unread,
May 3, 2013, 4:55:01 AM5/3/13
to qubes...@googlegroups.com, David Schissler, Zrubecz Laszlo
On 05/03/13 06:04, David Schissler wrote:
> This reminded me about the security problem of copying and pasting directly
> from a browser into the terminal. By using hidden div trickery it is very
> easy to insert a whole bunch of text that was never visible from on the
> screen. It would be very useful if Qubes had a way to quickly view the
> clipboard in a way that could fit into normal workflow.
>
>

"To view" using what application? Simple text viewer, sure, but written
on top of Qt, which is tens of thousands of lines of code to create a
simple class to display a text, right? And how do you know it won't
suddenly interpret some control character in some unusual way? Or have a
classic buffer overflow somewhere, e.g. because tried to be too smart
and interpreted a string as some unicode and allocated only the buffer
for half the amount of bytes?

And even if we could have a reasonably safe clipboard viewer, then
what's worth would it be really? What might look innocent in such a
simple plaintext viewer might be lethal to your shell. Or your
LibreOffice. Or something.

General rule in Qubes is: don't allow *paste* operation to a *more
trusted* domain from a less trusted one! One can use Qubes rpc policing
mechanism to actually enforce this policy, e.g. this is the contents of
my /etc/qubes_rpc/policy/qubes.ClipboardPaste file (first is source VM,
second destination, of course):

personal work deny
$anyvm vault deny
$anyvm $anyvm ask

And if you really, really, so madly want to take a look at the content
of the inter-VM clipboard you can always do that by displaying the
content of the /var/run/qubes/qubes_clipboard.bin file in Dom0. Again,
this is probably a *bad* idea, or even a Very Bad Idea, because you
don't know if displaying such potentially malicious content, even using
something as simple as the 'cat' command, won't exploit something, e.g.
in your shell, or in your konsole program, or whatever other you would
like to use to view it. Note that during a normal copy and paste
operation, Dom0 never attempts to parse the content of the
qubes_clipboard.bin file!

joanna.

signature.asc
Reply all
Reply to author
Forward
0 new messages