The fact that web browsers allow developers to manipulate the content of the clipboard can be exploited by attackers to trick unsuspecting users into executing potentially malicious code on their systems.
Experts demonstrated several years ago that HTML/CSS tricks could be used to add arbitrary content to the clipboard without the user’s knowledge. However, the method detailed by developer and security expert Dylan Ayrey, dubbed “Pastejacking,” relies on JavaScript to accomplish the task.
“What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM,” Ayrey explained.
A proof-of-concept (PoC) developed by the expert shows the threat posed by a Pastejacking attack when the user pastes commands copied from the web browser into the terminal. The example provided by Ayrey shows how an attacker can trick the user into thinking that they are copying echo “not evil” when in fact the string that gets copied is echo “evil”\n.
The \n (newline) character ensures that the command is executed automatically when pasted into the terminal without the user having to press the enter/return key. This means that the victim doesn’t get to see what they are pasting before it gets executed.
It’s worth noting that Ayrey’s PoC only works if the code is copied using keyboard shortcuts. However, the advantage is that the malicious content is added to the clipboard regardless of what piece of text is copied from the PoC page.
Malicious actors can use even more sophisticated payloads where a sequence of commands is executed. For instance, the expert demonstrated that the attacker can create a file in the home directory, clear the terminal, and display the command the user intended to copy in an effort to avoid raising suspicion. Sophisticated payloads can also be used if the attacker serves malicious code designed for execution in the vim text editor.
“This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal,” Ayrey said.
The attack method does not work against Apple’s Safari browser, and some applications, such as the OS X terminal replacement iTerm and the Windows console emulator Cmder, show warnings when a command containing the newline character is about to be pasted.
While many believe they would never fall for such tricks, some pointed out that it’s not uncommon for users to copy and paste commands from websites such as StackOverflow.
Pastejacking attacks can be mitigated by disabling JavaScript or by making various settings changes in the affected applications. However, the easiest way to avoid falling victim to such attacks is to be cautious when pasting content from questionable sources.