dxa4481/Pastejacking dxa4481/Pastejacking

  • Stars
    star
    1,419
  • Rank 32,903 (Top 0.7 %)
  • Language
    HTML
  • License
    GNU General Publi...
  • Created over 8 years ago
  • Updated over 8 years ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
dxa4481/Pastejacking
github

dxa4481

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A demo of overriding what's in a person's clipboard

Pastejacking

Browsers now allow developers to automatically add content to a user's clipboard, following certain conditions. Namely, this can only be triggered on browser events. This post details how you can exploit this to trick a user into running commands they didn't want to get ran, and gain code execution.

It should also be noted, for some time similar attacks have been possible via html/css. What's different about this is the text can be copied after an event, it can be copied on a short timer following an event, and it's easier to copy in hex characters into the clipboard, which can be used to exploit VIM, all shown below.

Demo

Here is a demo of a website that entices a user to copy an innocent looking command https://security.love/Pastejacking

This demo uses JavaScript to hook into the copy event, which will fire via ctrl+c or right-click copy. Right now this demo does works in Chrome, Firefox, and Safari but not with Internet Explorer, however there is a demo below which is IE compatible.

echo "not evil"

Will be replaced with

echo "evil"\r\n

Note the newline character gets appended to the end of the line. When a user goes to paste the echo command into their terminal, "evil" will automatically get echoed to the screen without giving the user a chance to review the command before it executes.

This demo hooks into the keydown event, so if a user uses keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user's clipboard with malicious code. This demo works in Chrome, Firefox, and Internet Explorer, but is not compatable with Safari.

More sophisticated payloads that hide themselves can also be used, such as something demoed here and seen below

touch ~/.evil
clear
echo "not evil"

This command will create an evil file in your home directory and clear the terminal out. The victim appears to have the command they intended to copy, nicely pasted into the terminal.

Impact

This method can be combined with a phishing attack to entice users into running seemingly innocent commands. The malicious code will override the innocent code, and the attacker can gain remote code execution on the user's host if the user pastes the contents into the terminal.

How do you protect yourself?

This is not so straight forward. One solution may be to verify the contents of your clipboard before pasting into a terminal, but be careful where you verify these commands. For example if you paste into vim, vim macros may be used to exploit you. An example of this can be seen in this demo and below

copyTextToClipboard('echo "evil"\n \x1b:!cat /etc/passwd\n');

This demo echo evil when pasted in terminal, and it will cat the user's /etc/passwd file when pasted into vim.

One solution around this can be seen below

"+p       -- within vim to paste clipboard without interpreting as vim command

If you're running iTerm, you will actually get warned if the command ends with a newline as seen here:

iTerm

Of course it goes without saying, take note of the source you're pasting from, and exercise additional caution if pasting from questionable sources.

More Repositories

1

WPA2-HalfHandshake-Crack

This is a POC to show it is possible to capture enough of a handshake with a user from a fake AP to crack a WPA2 network without knowing the passphrase of the actual AP.
Python
545
star
2

cssInjection

Stealing CSRF tokens with CSS injection (without iFrames)
HTML
306
star
3

Snapper

A security tool for grabbing screenshots of many web hosts
Python
290
star
4

truffleHogRegexes

These are the regexes that power truffleHog
Python
192
star
5

gcploit

These are tools we released with our 2020 defcon/blackhat talk https://www.youtube.com/watch?v=Ml09R38jpok
Python
155
star
6

XSSJacking

Abusing Self-XSS and Clickjacking to trigger XSS
HTML
126
star
7

windowHijacking

A demo of altering an opened tab after a timer
HTML
125
star
8

AttackingAndDefendingTheGCPMetadataAPI

This repo gives an overview of some GCP metadata API attack and defend patterns
78
star
9

Damn-Vulnerable-Redis-Container

An example of obtaining RCE via Redis and CSRF
HTML
74
star
10

XSSOauthPersistence

Maintaining account persistence via XSS and Oauth
JavaScript
69
star
11

whatsinmyredis

A CSRF demonstration of stealing local Redis data, and encrypting all Redis instances on a local network
CSS
53
star
12

inputProtectionShield

Eagle
42
star
13

CORS

JSON API's Are Automatically Protected Against CSRF, And Google Almost Took It Away.
34
star
14

CSRF-PoC-Genorator

This is a simple CSRF Proof of Concept generator that supports multiple form encodings and methods
HTML
28
star
15

mimikittenz4Linux

Steals cleartext passwords from webservices, by reading the memory of browsers
Python
27
star
16

santaHog

Scans packages in npm and pypi for secrets
Python
27
star
17

clientHashing

A demonstration of secure hashing done client side
JavaScript
22
star
18

bygonessl

A tool to discover bygonessl vulnerabilities using the facebook API
Python
19
star
19

logger

Simple javascript logging of fingerprint, IP address and user agent
JavaScript
17
star
20

SmartHealthCardViewer

Smart Health Card Viewer, view your California Smart Health Card Vaccination record
JavaScript
8
star
21

BitRush

An open source project for bitcoin mining on an FPGA
VHDL
7
star
22

domainAbandonedDetector

Detects abandoned domains referenced in HTML
Python
7
star
23

dxa4481.github.io

This is my resume, in HTML/CSS
Python
6
star
24

JayPi

Translating JTAGENUM to Python for the Raspberry Pi
Python
6
star
25

redirect_demo

HTML
6
star
26

gpsIoTTracker

This simple python module takes GPS locations of a moving object, and measured signal strengths of an IoT object and uses trilateration and the method of least squares to solve for the location of the object
Python
5
star
27

Veyebrations

We are creating a system that translates measured distances of physical objects into vibrations to assist the blind
Eagle
4
star
28

JohnWilliams

JavaScript
4
star
29

coolSVGXSS

simple demo of XSS in an SVG
HTML
4
star
30

security_reports

A simple template that can be used to deliver security reports either for bug bounties, internal reports, or consultancy work
HTML
4
star
31

penguin

A restful single page app tool sharing application
Python
3
star
32

VibrationAPI

An example of the HTML5 vibration API
HTML
2
star
33

Tutorials

Learning new things
JavaScript
2
star
34

dotGitFinder

JavaScript
2
star
35

HIVStats

This application makes HIV statistics very accessible
HTML
2
star
36

log_handler

The backend log handler for logger.io
JavaScript
2
star
37

SocialEngineeringPresentation

A simple presentation on social engineering
HTML
2
star
38

SoundMaker

This uses the open hardware provided by arduino to modify an arduino PCB into making a sound board
Eagle
1
star
39

fingerprint-page-count

Counts how many times a user has viewed a page based on his browser's fingerprint
JavaScript
1
star
40

blog

HTML
1
star
41

SeriousApiarist

Controlled builds, tests, static analysis, releases, and deploys with validation and 2FA and live streaming to your CI
Go
1
star
42

serverConfigs

The server configuration files for security.love and e-q.pw
1
star
43

serviceworkerCSRFLogout

HTML
1
star
44

insecureLamp

a very simple insecure web application designed to turn a lamp on and off
Python
1
star
45

FingerprintPressure

This simple demo shows given an image of a fingerprint, you can determine how hard the person was pushing down
Python
1
star
46

AccelerometerAPI

A brief demonstration showing browsers can access a device's accelerator data without promoting a user. This app shows the total acceleration vector magnitude
HTML
1
star
47

CORS-pdf

This is a simple demo that shows you can host a PDF cross origin in chrome, and track a user's interaction with the PDF with the default chrome PDF viewer.
HTML
1
star