[MouseWithoutBorders] Reject UNC/remote paths over ClipboardHelper IPC#48904
Open
yeelam-gordon wants to merge 1 commit into
Open
[MouseWithoutBorders] Reject UNC/remote paths over ClipboardHelper IPC#48904yeelam-gordon wants to merge 1 commit into
yeelam-gordon wants to merge 1 commit into
Conversation
The ClipboardHelper named pipe (\\.\pipe\MouseWithoutBorders/ClipboardHelper) is ACL'd to Authenticated Users, so any local process can invoke its RPC endpoints. SendDragFile and SendClipboardData (isFilePath) forwarded the supplied path to File.Exists/Directory.Exists. A UNC path such as \\attacker\share causes Windows to authenticate over SMB, leaking the user's NTLMv2 hash to an attacker-controlled server. Reject UNC/remote and device-namespace paths at the IPC boundary before any filesystem probe. The legitimate helper only forwards local clipboard/drag file paths, so local-file behavior is unchanged. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Hardens the Mouse Without Borders
ClipboardHelperIPC endpoint to reject UNC / remote / device-namespace paths before any filesystem access.The
ClipboardHelpernamed pipe (\\.\pipe\MouseWithoutBorders/ClipboardHelper) is reachable by local callers, and itsSendDragFile/SendClipboardData(isFilePath)endpoints forwarded the supplied path straight toFile.Exists/Directory.Exists. Probing a UNC path (e.g.\\host\share) makes Windows perform an outbound SMB authentication, which can be abused to coerce credential authentication to an attacker-controlled host. The legitimate helper only ever forwards local clipboard/drag file paths, so rejecting non-local paths at this boundary closes the issue with no impact on the normal flow.Tracked internally as MSRC case 110760.
Changes
IClipboardHelper.cs: addIsRemoteOrUncPathguard inSendDragFileandSendClipboardData; reject (and log) paths that are UNC (\\server\share,//server/share) or device-namespace (\\?\UNC\...,\\.\...), validating both the raw input and itsPath.GetFullPath-resolved form. Malformed paths are treated as untrusted and rejected.ClipboardHelperTests.cs: new unit tests covering remote/UNC rejection, local-path acceptance, and null/empty handling.Validation
MouseWithoutBorders(App) builds clean — Release | x64, exit code 0.MouseWithoutBorders.UnitTestsbuilds and runs clean — 14 passed / 1 pre-existing skip / 0 failed (13 newClipboardHelperTestscases pass).Notes / scope
src/commonchanges, no IPC/JSON contract change, no ABI break.