Malware POC bypasses CFP Defence Plus

It,s very interesting indeed. Can protection against this be added?


Very Intersting Indeed,

To Bad I’ve Tried And It Didn’t Bypass The Security I have on this bad boy lol

YAY I’m protected

Also it will show up in your Logs
Look in your Firewall Logs/Defense Logs (if on paranoid)


I tried this on paranoid but it didn’t protect me…

I know CFP Will not block this but the other programs that i have does…

But if you have your firewall set to custom polixy mode and have Firefox or opera or IE6/7 Set To Web Broswer, it will show up in your logs


Opera easely blocks it…


Well, yeah, my firefox blocked this but when I allow it in FF and set CFP to paranoid (or custom policy) mode it didn’t block it and nothing show up in my logs (of CFP).

No, it can,t be blocked in any way.

We are not discussing blocking of web site URL access. We are discussing clipboard Hijack interception that can,t be done.

If you claim this, pls post screen shots.


Opera does not block it, neither with ease nor with difficulty unless u disable flash. It,s a failure.

Hmmmm… how. Can u post a screenshot? As I read, FF on default does not block it.

Interesting !

Nothing in Firewall Logs/Defense Logs, what are Access rights ?(Firefox, IE)

Yes I’ve tried, I think he uses noscript or another :]

What this p.o.c. proofs, that flash can “copy” text to clipboard?

It doesn’t really look a surprising PoC to me.
Something like that it doesn’t even need Flash.
Scripting languages like javascript can control the clipboard too.

ref. Clipboard cut, copy and paste with JavaScript

When I tested that PoC with Opera it didn’t happen what I quoted below.

And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.

I had simply to close that page and I was able to change the contents of the clipboard.

Yes, Even just clearing the flash file that they have in your temp folder…

Although this little attack didn’t affect me one bit


Sure, I use NoScript…

[attachment deleted by admin]

So I am correct. FF does not block this. It,s because you disabled flash. That,s so obvious. It,s an exploit of flash. If u disable flash, it will not work.

So this atack is based on unauthorized clipboard coping/pasting/etc. AFAIK the development team is aware of that CFP does not ‘catch clipboard callbacks’ and they’re planning to add this feature in future releases.

CFP fails Clipboard Logger Simulation Test

NO, as I understand this attack is different though it,s also related to clipboard.

As turns out this PoC is nothing more that a malicious use of legit functions.
If it is an exploit it is one that rely on user interaction.

Poisoning the clipboard can produce a result only if the user doesn’t notice that the pasted content is not what he copied.

It is something similiar in concept to Display different text on status bar of hyperlink of all browsers where the user click on a link thinking the alternate text in the statusbar would be the URL he will be redirected to.

It would be about the same thing as forging a link like to point to a totally different site (in this specific case looking at the statusbar prove useful enough).

The clipboard poisoning PoC doesn’t work as stated in the zdnet article

This has happened to me twice now, on two separate computers at work. My clipboard has been hijacked with this:

[ malicious URL deleted ]

And once it’s in the clipboard, I can’t copy anything else over it until I’ve restarted the machine.

Maybe the real baddie does something like that but the PoC does not require a reboot. The user need to close only the tab with the PoC page and he will be able to copy anything to the clipboard without having that overwritten again.

To mimic that flash PoC a simple html page with javascript would be enough. Flash is not an indispensable requirement.

Clipboard Protection in this case should not be addressed by CFP. This is a browser based issue.
Even if CFP will handle it many legit sites need that functionality and CFP act at the application level.

If some sort of protection is added to web browser then it would be possible to disable clipboard access on a per site basis.
eg: Opera does this for statusbar javascript access.

[attachment deleted by admin]

I am not an expert but I have also realized that it can,t be intercepted by a HIPS. It,s a JS problem I think.

Is there an option in Opera to stop address bar hiding globally?