Pierluigi Paganini
May 25, 2016
The security expert Dylan Ayrey has devised a new attack technique dubbed Pastejacking attack that leverages on the victim’s clipboard.
The possibility of manipulating clipboard without a victim noticing it a known for a long time, it is possible to do it by using HTML/CSS in a type of attack known as clipboard hijacking. Attackers can write malicious code in the clipboard and then fool victims into executing terminal commands.
This type of attack is known as clipboard hijacking, and in most scenarios, it is useless, except when the user copies something inside their terminal.
The new attack scenario sees victims receiving a phishing e-mail purporting to be from tech support could trick them into dropping a message into a terminal window and executing it. In reality, the attacker is exploiting the machine clipboard to launch the attack.
“Browsers now allow developers to automatically add content to a user’s clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn’t want to get ran, and gain code execution.” is the description of the Pastejacking attack published on GitHub by Ayrey. “It should also be noted, for some time similar attacks have been possible via html/css. What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM, all shown below.”
The expert published a proof-of-concept of the Pastjacking attack in which he asks users to copy the command echo “not evil” into the terminal, but the content stored in the clipboard is
echo “evil”\n.
The newline character appended to command doesn’t offer the opportunity to the user to modify it when he will paste the content from the clipboard to the terminal.
“If a user attempts to copy the text with keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user’s clipboard with malicious code.” explained the expert.
The experts also provided also more sophisticated payloads, like the following one that will create a file in the user’s home directory and clean the terminal.
touch ~/.evil clear echo "not evil"
“This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal”, he explains.
JavaScript is much more efficient for clipboard hijacking attacks compared to CSS, for example while using a CSS exploit the user must copy-paste the entire malicious text, a JavaScript exploit is triggered by copy also a single character of the whole malicious text.
This consideration opens the door to a dangerous attack scenario in which the attacker adds the Pastejacking JavaScript code to the entire page. At this point, it is sufficient that victims copy/paste anything inside the console to run unwanted commands.
A possible countermeasure consist in verifying the contents of the clipboard before pasting into a terminal, but the researcher warns where you verify these commands. For example, pasting them into vim, vim macros may be used to exploit your machine.
“An example of this can be seen in this demo and below
copyTextToClipboard('echo "evil"\n \x1b:!cat /etc/passwd\n');
This demo echo evil when pasted in terminal, and it will cat the user’s /etc/passwd file when pasted into vim.”
https://www.surveymonkey.com/r/secbloggerwards2016
Thank you
Pierluigi
[adrotate banner=”9″]
(Security Affairs – Pastjacking attack, phishing)
