Skip to content

[MouseWithoutBorders] Reject UNC/remote paths over ClipboardHelper IPC#48904

Open
yeelam-gordon wants to merge 1 commit into
microsoft:mainfrom
yeelam-gordon:fix/110760
Open

[MouseWithoutBorders] Reject UNC/remote paths over ClipboardHelper IPC#48904
yeelam-gordon wants to merge 1 commit into
microsoft:mainfrom
yeelam-gordon:fix/110760

Conversation

@yeelam-gordon

Copy link
Copy Markdown
Contributor

Summary

Hardens the Mouse Without Borders ClipboardHelper IPC endpoint to reject UNC / remote / device-namespace paths before any filesystem access.

The ClipboardHelper named pipe (\\.\pipe\MouseWithoutBorders/ClipboardHelper) is reachable by local callers, and its SendDragFile / SendClipboardData(isFilePath) endpoints forwarded the supplied path straight to File.Exists / Directory.Exists. Probing a UNC path (e.g. \\host\share) makes Windows perform an outbound SMB authentication, which can be abused to coerce credential authentication to an attacker-controlled host. The legitimate helper only ever forwards local clipboard/drag file paths, so rejecting non-local paths at this boundary closes the issue with no impact on the normal flow.

Tracked internally as MSRC case 110760.

Changes

  • IClipboardHelper.cs: add IsRemoteOrUncPath guard in SendDragFile and SendClipboardData; reject (and log) paths that are UNC (\\server\share, //server/share) or device-namespace (\\?\UNC\..., \\.\...), validating both the raw input and its Path.GetFullPath-resolved form. Malformed paths are treated as untrusted and rejected.
  • ClipboardHelperTests.cs: new unit tests covering remote/UNC rejection, local-path acceptance, and null/empty handling.

Validation

  • MouseWithoutBorders (App) builds clean — Release | x64, exit code 0.
  • MouseWithoutBorders.UnitTests builds and runs clean — 14 passed / 1 pre-existing skip / 0 failed (13 new ClipboardHelperTests cases pass).

Notes / scope

  • Surgical, module-local change. No src/common changes, no IPC/JSON contract change, no ABI break.
  • Normal clipboard/drag sharing of local files is unaffected. Auto-transfer of a file copied directly from a network share is intentionally skipped (the path is indistinguishable from an injected UNC at this layer); this is the accepted tradeoff for this fix.

The ClipboardHelper named pipe (\\.\pipe\MouseWithoutBorders/ClipboardHelper)
is ACL'd to Authenticated Users, so any local process can invoke its RPC
endpoints. SendDragFile and SendClipboardData (isFilePath) forwarded the
supplied path to File.Exists/Directory.Exists. A UNC path such as
\\attacker\share causes Windows to authenticate over SMB, leaking the user's
NTLMv2 hash to an attacker-controlled server.

Reject UNC/remote and device-namespace paths at the IPC boundary before any
filesystem probe. The legitimate helper only forwards local clipboard/drag
file paths, so local-file behavior is unchanged.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
@github-actions github-actions Bot added the Product-Mouse Without Borders Refers to the Mouse Without Borders module label Jun 26, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Product-Mouse Without Borders Refers to the Mouse Without Borders module

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant