Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Pastejacking attack relies on your clipboard as an attack vector

The Pastejacking Attack exploits JavaScript to override the clipboard content and trick victims into running malicious code. The security expert Dylan Ayrey has devised a new attack technique dubbed Pastejacking attack that leverages on the victim’s clipboard. The possibility of manipulating clipboard without a victim noticing it a known for a long time, it is possible to do […]

Pastejacking attack relies on your clipboard as an attack vector

The Pastejacking Attack exploits JavaScript to override the clipboard content and trick victims into running malicious code.

The security expert Dylan Ayrey has devised a new attack technique dubbed Pastejacking attack that leverages on the victim’s clipboard.

The possibility of manipulating clipboard without a victim noticing it a known for a long time, it is possible to do it by using HTML/CSS in a type of attack known as clipboard hijacking. Attackers can write malicious code in the clipboard and then fool victims into executing terminal commands.

This type of attack is known as clipboard hijacking, and in most scenarios, it is useless, except when the user copies something inside their terminal.

The new attack scenario sees victims receiving a phishing e-mail purporting to be from tech support could trick them into dropping a message into a terminal window and executing it. In reality, the attacker is exploiting the machine clipboard to launch the attack.

“Browsers now allow developers to automatically add content to a user’s clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn’t want to get ran, and gain code execution.” is the description of the Pastejacking attack published on GitHub by Ayrey. “It should also be noted, for some time similar attacks have been possible via html/css. What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM, all shown below.”

The expert published a proof-of-concept of the Pastjacking attack in which he asks users to copy the command echo “not evil” into the terminal, but the content stored in the clipboard is

echo “evil”\n.

The newline character appended to command doesn’t offer the opportunity to the user to modify it when he will paste the content from the clipboard to the terminal.

“If a user attempts to copy the text with keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user’s clipboard with malicious code.” explained the expert.

The experts also provided also more sophisticated payloads, like the following one that will create a file in the user’s home directory and clean the terminal.

touch ~/.evil
clear
echo "not evil"

“This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal”, he explains.

Pastejacking attack

JavaScript is much more efficient for clipboard hijacking attacks compared to CSS, for example while using a CSS exploit the user must copy-paste the entire malicious text, a JavaScript exploit is triggered by copy also a single character of the whole malicious text.

This consideration opens the door to a dangerous attack scenario in which the attacker adds the Pastejacking JavaScript code to the entire page. At this point, it is sufficient that victims copy/paste anything inside the console to run unwanted commands.

A possible countermeasure consist in verifying the contents of the clipboard before pasting into a terminal, but the researcher warns where you verify these commands. For example, pasting them into vim, vim macros may be used to exploit your machine.

“An example of this can be seen in this demo and below

copyTextToClipboard('echo "evil"\n \x1b:!cat /etc/passwd\n');

This demo echo evil when pasted in terminal, and it will cat the user’s /etc/passwd file when pasted into vim.”

 

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.

https://www.surveymonkey.com/r/secbloggerwards2016

Thank you

Pierluigi

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Pastjacking attack, phishing)