Researcher warns of 'pastejacking' hack attacks targeting users' clipboards

Take care over what you copy and paste…

Researcher warns of 'pastejacking' hack attacks targeting users' clipboards

A security researcher has developed a "Pastejacking" proof-of-concept (POC) exploit that allows attackers to gain code execution by adding content to a user's clipboard.

Researcher Dylan Ayrey explains that some web browsers now allow developers to add content to a user's clipboard under certain circumstances.

Attackers can theoretically exploit this ability to trick users into running commands they otherwise wouldn't want entered on their computers, in order to gain remote code execution. These types of attacks generally make use of HTML/CSS.

Ayrey's POC attack, dubbed "Pastejacking," breaks with that mold, however

Here's what Ayrey said in a post he published on GitHub about his exploit:

"What's different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it's easier to copy in hex characters into the clipboard, which can be used to exploit VIM."

In a demo of his exploit, anyone who uses keyboard shortcuts to copy the code

echo "not evil"

from the POC website will have their clipboard content overridden with "malicious" code, or in this case

echo "evil"\n

The newline character is important here. If entered into the terminal, it automatically mimics the effect of pressing the "Enter" key and going to a new line. Appending that character to a pastejacking exploit will therefore run a malicious command in the terminal as soon as it is entered and before the user even has a chance to view what they've actually copied and pasted.

The researcher also notes how attackers can develop more sophisticated payloads, such as code which runs a malicious command, clears the console, copies the command the user thought they originally copied, and displays it in the terminal window.

One such example is the code snippet below.

Script

When combined with phishing attacks and/or tech support scams, these types of exploits pose a serious risk to ordinary users, Ayrey warns:

"This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user's host if the user pastes the contents into the terminal."

To protect against these attacks, users can switch to web browsers (such as Safari) that do not allow content to be added to a clipboard. They can also use iTerm or the Windows console emulator Cmder, which both show warnings when a command containing the newline character is about to be pasted.

687474703a2f2f692e696d6775722e636f6d2f573870776546312e706e67

Users should also be careful to copy content only from trusted sources.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Listen now

Subscribe to the free GCHQ newsletter

, ,

One Response

  1. Hermit

    May 26, 2016 at 4:05 pm #

    Does the pastjacking attack have the ability to read what has been captured to clipboard manger programs like Clipmate, ClipCache Pro or Phrase express?
    I use these programs to capture clips using CTRL C so I can refer back to what I copied from a few days to a few weeks to be able to remember something or to paste the captured info into an email or for filling out online forms.

Leave a Reply