Your browser is obsolete!

The page may not load correctly.

Unexpected guests

Незваные гости

Other issues in this category (70)
  • add to favourites
    Add to Bookmarks

Ctrl + C, Ctrl + V = THREAT

Read: 1752 Comments: 2 Rating: 14

Friday, February 16, 2018

We all copy pieces of texts from sites or documents every now and then. The Anti-virus Times has already warned its readers that clicking on links can be dangerous because, by doing so, users can trigger the execution of another command. But now it turns out that copying plain text can be hazardous too.

Attackers can determine when text is being copied to the clipboard from the current browser window. Once the JavaScript code detects that Ctrl+C has been pressed, it will wait for 800 ms and inject additional data into the clipboard. The browser doesn't prompt users for confirmation to alter the clipboard’s contents, and in HTML view the contents will appear as the string the user intends to copy.

https://www.opennet.ru/opennews/art.shtml?num=44481

Everyone knows that sites can monitor (and block) attempts to copy information from them. But this feature can also be used to inject additional information into the clipboard. For example, some sites add a link to the page the text is being copied from. And since there is a way to add harmless data, why not opt for something malicious? And you'll never notice!

To conceal the additional information, attackers can employ special characters. Here is an example for the vim utility which is well known to Linux users:

In this demo users are offered the ability to copy a string from the browser window (select the text and press Ctrl+C):

echo "not evil"

Pasting the contents into the terminal window will reveal a different string:

echo "evil"\n

To hide the altered content, attackers can use such commands as "clear" and "echo -ne '\033[1F\033[2K'". Here is another example:

touch ~/.evil
clear
echo "not evil"

This means that by inserting commands into the altered text, an attacker can replace the text you want to copy with the string they need.

The attack options are many. Many programmers make use of the git version control system. Access to the system can be facilitated via a website.

A description of another attack was published. It shows how a portion of code being output using the "git diff" command (often used to examine patch code) can be concealed . By introducing the escape sequence "[8m" into the code, an attacker can make some of it invisible in a VT100 terminal window.

#drweb

http://www.opennet.ru/opennews/art.shtml?num=47759

For non-programmers: the printf command should display the phrase "I'm just a stub!”. Instead, it outputs "I'm just a stub! Insert bad backdoor here...!". - a portion of the text is not displayed.

And this attack was discovered in 2013, but it still works:

The attack concept exploits users' confidence when they copy command examples from various sites.

By using the “span” element, an attacker can push an unsuspecting user into copying invisible text and thus make them execute arbitrary command in their terminal.

https://www.opennet.ru/opennews/art.shtml?num=36619

You can open the link yourself, copy the string that starts with “git clone" and see what text will actually be pasted.

In this case, only formatting tags from the site page are used, no JavaScript code is involved.

#security

The Anti-virus Times recommends

  1. Don't believe what you see: before you choose to execute a piece of code or hit Enter, check what you've actually copied.
  2. Insert the string into a plain text file rather than an office document or the command prompt.

[Twitter]

Tell us what you think

To leave a comment, you need to log in under your Doctor Web site account. If you don't have an account yet, you can create one.

Comments

Comments to other issues | My comments