VirtualBox

Ticket #4763 (new defect)

Opened 5 years ago

Last modified 4 years ago

Cross-PC Clipboard Data Exposure Using Remote Desktop into Guest

Reported by: UncleZirky Owned by:
Priority: minor Component: clipboard
Version: VirtualBox 3.0.4 Keywords:
Cc: Guest type: Windows
Host type: Windows

Description

I discovered what I would consider a data security exposure (at worst) or (at best) an undesirable function of clipboard copy/paste. I have an XP guest (running on a Vista host, but I don't think the host platform matters). Let's call the XP guest GUEST1 and the Vista host HOST1. Often, using another plain standalone XP PC (not running VirtualBox) -- a separate physical PC on the same network that we'll call PC1 -- I will use Windows Remote Desktop from PC1 to access GUEST1 remotely. If I copy text in the Remote Desktop session from PC1, the next paste operation on HOST1 results in pasting the data that was copied from the Remote Desktop session on PC1 (obviously by way of GUEST1).

The data copied to the clipboard should have remained only on the physical PC on which is was copied, in this case PC1 which isn't even running VirtualBox.

This becomes a problem when a separate user on another computer is remotely accessing a guest. This is actually how I discovered the problem as undesirable data was appearing in my host clipboard while someone else was remotely accessing my guest. They could be copying sensitive data, which should not appear on the host clipboard.

This is an easy scenario to recreate on demand. I have verified that this scenario happens in 3.0.4 and as far back as 3.0.0, possibly earlier as I have been having unexpected data appear in my host clipboard for some time.

Change History

comment:1 in reply to: ↑ description Changed 4 years ago by llehmijo

I'm experiencing this problem as well.

This could be a serious security issue.

comment:2 Changed 4 years ago by sandervl73

I haven't actually checked this, but disabling bi-directional clipboard sharing in the VM settings should fix that.

As you are allowing a remote user access to a VM on your local machine using your own user session, you should be a bit careful with the access you give that particular VM. (includes shared folders too)

Note: See TracTickets for help on using tickets.

www.oracle.com
ContactPrivacy policyTerms of Use