A security researcher has developed a “Pastejacking” proof-of-concept (POC) exploit that allows attackers to gain code execution by adding content to a user’s clipboard.
Researcher Dylan Ayrey explains that some web browsers now allow developers to add content to a user’s clipboard under certain circumstances.
Attackers can theoretically exploit this ability to trick users into running commands they otherwise wouldn’t want entered on their computers, in order to gain remote code execution. These types of attacks generally make use of HTML/CSS.
Ayrey’s POC attack, dubbed “Pastejacking,” breaks with that mold, however
Here’s what Ayrey said in a post he published on GitHub about his exploit:
“What’s different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it’s easier to copy in hex characters into the clipboard, which can be used to exploit VIM.”
In a demo of his exploit, anyone who uses keyboard shortcuts to copy the code
echo "not evil"
from the POC website will have their clipboard content overridden with “malicious” code, or in this case
The newline character is important here. If entered into the terminal, it automatically mimics the effect of pressing the “Enter” key and going to a new line. Appending that character to a pastejacking exploit will therefore run a malicious command in the terminal as soon as it is entered and before the user even has a chance to view what they’ve actually copied and pasted.
The researcher also notes how attackers can develop more sophisticated payloads, such as code which runs a malicious command, clears the console, copies the command the user thought they originally copied, and displays it in the terminal window.
One such example is the code snippet below.
When combined with phishing attacks and/or tech support scams, these types of exploits pose a serious risk to ordinary users, Ayrey warns:
“This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user’s host if the user pastes the contents into the terminal.”
To protect against these attacks, users can switch to web browsers (such as Safari) that do not allow content to be added to a clipboard. They can also use iTerm or the Windows console emulator Cmder, which both show warnings when a command containing the newline character is about to be pasted.
Users should also be careful to copy content only from trusted sources.