Copy-pasting commands into your terminal allows attackers to append, automatically execute and then hide malicious code

May 24, 2016 09:05 GMT  ·  By
New Pastejacking attack allows crooks to append malicious terminal commands to your clipboard
   New Pastejacking attack allows crooks to append malicious terminal commands to your clipboard

It has been possible for a long time for developers to use CSS to append malicious content to the clipboard without a user noticing and thus fool them into executing unwanted terminal commands.

This type of attack is known as clipboard hijacking, and in most scenarios, it is useless, except when the user copies something inside their terminal.

Security researcher Dylan Ayrey published last week a new version of this attack, which uses only JavaScript as the attack medium, not CSS.

Called Pastejacking, his proof-of-concept attack works the same way older CSS-based exploits do, but with a twist.

"What's different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it's easier to copy in hex charecters into the clipboard, which can be used to exploit VIM," Ayrey explained.

JavaScript makes this attack harder to spot and harder to stop

JavaScript is a lot more powerful and versatile when compared to CSS, and this shows immediately. While in the CSS exploit the user had to copy-paste the entire malicious text, with JavaScript things are a lot trickier.

Users don't even need to select the whole malicious text. One character is enough. Theoretically, an attacker could add their malicious Pastejacking JavaScript code to the entire page, and when you paste anything inside the console, they could sneakily run commands behind your back.

Ayrey even includes a demo where the attacker runs their malicious code, clears the console, and then appends the code the user copied, making them believe nothing happened.

The attack can be deadly if combined with tech support pages or phishing emails. Users might think they're copying innocent text into their console, but in fact, they're running the crook's exploit for them.

Because terminal commands are automatically executed, the user doesn't even have to press Enter to run the malicious code, CTRL+V being enough.

For example, someone looking for tips on cmd.exe commands could copy-paste code he found online in tutorial articles, but the malicious party behind that particular site could be appending tens of lines of malicious code that downloads malware from an online source and installs it on his computer. All of this can happen silently, without the user noticing anything.