86

Like all beginners in the land of Linux, I usually look for websites that contain some useful shell commands, mark it with my mouse, copy it (CTRL + C) and paste it into a terminal.

For example, if I need to install package_name.deb

sudo apt-get install package_name.deb

I will give my root password and install the package_name.deb

When I paste this command to my text editor, it will be something like:

sudo apt-get install package_name.deb && apt-get install suspicious_file.deb 

Second example, if I want to add a new ppa (terminal)

sudo add-apt-repository ppa:some/ppa
sudo apt-get update

When I edit my sources.list, I will find something like:

deb http://ppa.launchpad.net/some-ppa/

and

deb http://ppa.launchpad.net/a_suspicious_some-ppa/

The problem is the second ppa deb http://ppa.launchpad.net/a_suspicious_some-ppa/ is added automatically and without my permission.

As you can see, there is an invisible part. It does not appear on my terminal.

What is the risk of copy and paste from an untrusted website in the terminal and how to fix my operating system?

GAD3R
  • 2,211
  • 3
  • 17
  • 38
  • 15
    Repair is done by wiping disk and reinstalling OS. – Neil Smithline Feb 14 '16 at 17:38
  • 1
    There is a risk. Websites can use CSS and JavaScript to hide things and then when you copy from that website, you actually copy what they want. I'll have to see if I can find the PoC website, but there is one that'll call you an idiot for copying from it into your terminal. :) – h4ckNinja Feb 14 '16 at 17:52
  • 9
    Solution: use `lynx`. No JavaScript, no CSS oddities there. – Deer Hunter Feb 14 '16 at 17:58
  • 5
    Here is an example: https://thejh.net/misc/website-terminal-copy-paste – Gumbo Feb 14 '16 at 18:23
  • 2
    Use a browser plugin that disables access to the copy buffer. :) – Mark Buffalo Feb 14 '16 at 18:51
  • 1
    On [softwarerecs.se]: **[Warn me when I copy hidden content from a webpage](http://softwarerecs.stackexchange.com/q/11080/60)** – unor Feb 14 '16 at 22:00
  • 11
    Most answers solve your immediate problem. However, if you are learning Linux command-line, you'd be well-advised to type your commands yourself. Muscle memory sure helps, and you also have to build large command pipelines from scratch, one by one. https://github.com/jlevy/the-art-of-command-line is a great starting point. There's also another helpful command: https://github.com/p-e-w/maybe Of course, if you want to shoot yourself in the foot, no preventive measures can eliminate the risk... – Deer Hunter Feb 15 '16 at 09:28
  • 2
    @Simon Not a duplicate. OP is wondering how the paste is hiding data from the terminal. He pastes something, and it doesn't show some of the evil commands happening. – Mark Buffalo Feb 15 '16 at 14:16
  • @GAD3R please **don't add** another question on the same post if it will invalidate existing answers. Instead, you can ask a new question and reference this question if it is related. – Andrew T. Feb 15 '16 at 16:56
  • @GAD3R, ...but repair is too broad a scope to be answerable. – Charles Duffy Feb 15 '16 at 22:27
  • The information posted does not rule out "normal operations". Perhaps `deb http://ppa.launchpad.net/a_suspicious_some-ppa/` is a dependency of `deb http://ppa.launchpad.net/some-ppa/` or is left over from an earlier forgotten session? That the exact ppas are left out forces the reader to assume a possibly incorrect conclusion that the suspicious ppa is in fact suspicious to expert users, possibly malicious, or unauthorized. If the ppa's are edited into the question, additional fact checking can occur. – Paul Feb 15 '16 at 22:43
  • 1
    Just paste everything first into a text editor before running at the command line. It's probably best never to paste directly to the command line. – user1751825 Feb 16 '16 at 01:57
  • 1
    Pantheon Terminal gives a warning when you paste – Suici Doga Feb 16 '16 at 02:12

4 Answers4

82

Websites can append to your clipboard

The risk is exactly what you said it was. It's definitely possible to append malicious commands to the clipboard.

You could even append && rm -rf /* (only executes if the first command was successful), or ; rm -rf /* (executes even if the first command was unsuccessful) and brick certain UEFI devices.

You should also check out Michael's post in this thread for another example.

In the end, it really depends on how creative and malicious a particular evil "hacker" is.


But how can you make the commands "invisible" in the terminal?"

  1. Method one

    echo test;echo insert evil here;clear;echo installing package
    

    Execution order:

    1. Echo "test" happens
    2. Echo "insert evil here" happens
    3. Actions are "cleared"
    4. Intended action happens here, but you don't see the rest.

    ...

    You can try to scroll up in the terminal window to find the rest of it.

  2. Method two

    stty -echo 
    tput smcup
    

    This will disable the terminal from showing what you're typing, so it doesn't appear in the terminal window at all.

    You can try it like this:

    stty -echo;tput smcup;echo evil commands
    expected command
    

Those are just two really rough examples, but show the potential of what can be done to obfuscate commands. Note that it likely doesn't hide from ~/.bash_history unless the hidden commands specifically delete/modify it's contents.

You should assume that there are other ways to do this.


Mitigation

I recommend using an addon to disable clipboard manipulation. There are unfortunately ways to get around that, so I'd recommend pasting everything into a GUI text editor before it goes into your terminal, or anywhere.

You need to verify what you're doing. If you don't understand each individual command, you should google it. This is proper tinfoil hattery because copy and pasting can force the commands to auto-execute on many Linux flavors.


Repairing your Linux installation

You might not have any idea how deep the rabbit hole goes. Unless you have the time and effort to put into it, I'd suggest you just nuke from orbit, unless you have important files. If you have important files, just back up the non-executable stuff (no pdfs, documents, etc), and then nuke from orbit.

If you have PDFs, you can convert the PDF to post-script, or copy and paste the contents into a text file. With documents, copy and paste the text and format it later.

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
  • 8
    But in all these cases, the website is putting actual plain text in the clipboard. So upon pasting, you'll see the real command. The OP implies that the added/altered command was somehow invisible *in the pasted terminal window*. – JDługosz Feb 14 '16 at 20:20
  • I don't follow. If you're a newbe you will have difficuky pasting (that's not the question), and command is in quotes implies some additional point? – JDługosz Feb 14 '16 at 20:26
  • @JDługosz I totally misunderstood that part. Thanks! Should be fixed now. – Mark Buffalo Feb 14 '16 at 20:33
  • 34
    @JDługosz if it's got a line break it will run immediately in your terminal. Who cares if you can see it or not. The damage is already done. – Neil McGuigan Feb 14 '16 at 20:40
  • @NeilMcGuigan Agreed. And if you paste any random command, chances are it will automatically force a line break and the command to execute. However, in OP's case, the additional command that was executed was *invisible* to them. – Mark Buffalo Feb 14 '16 at 20:52
  • I suspect this is one of the reasons air gapped networks are so popular in certain security conscious environments. – emory Feb 14 '16 at 21:07
  • 4
    Nice coverage on the terminal part, though I should point out that there is no way to really disable pasting crap into the clipboard in general. Even assuming the app (here the browser) is trusted and provides no API for untrusted principals to programmatically tamper with the clipboard, sites could use clever CSS tricks to make some invisible text be selectable over a background image containing text rendered with the user's assumed font on the fly. – Steve Dodier-Lazaro Feb 14 '16 at 23:07
  • 4
    @SteveDL **/sadface.** At least now I know my tinfoil clipboard practice really paid off after all these years. I actually verify everything in my clipboard before even putting it anywhere. – Mark Buffalo Feb 14 '16 at 23:15
  • 7
    @MarkBuffalo :-) I would recommend techies to use a "buffer", aka a text editor, and to verify they're happy with what they'll type line by line. Beginners.. well given the low volume of attacks out there and the level of confusion that this kind of details can cause I'd say "just copy paste whatever you like, but from *trusted sites*". – Steve Dodier-Lazaro Feb 14 '16 at 23:17
  • 1
    @SteveDL Yup, that's my buffer. I just hope it doesn't overflow... – Mark Buffalo Feb 14 '16 at 23:19
  • @MarkBuffalo oh you. – Steve Dodier-Lazaro Feb 15 '16 at 00:50
  • 1
    @SteveDL Considering that copypasting from the web loves to fetch other random stuff (like the next table cell's content) from the website, it's a good practice in any case. – Chieron Feb 15 '16 at 08:13
  • @SteveDL I like Virtual Machines. I can create a vm in seconds. I can blindly copy/paste stuff directly into a sudo terminal. If someone hides `rm -rf /` in the clipboard it will delete the root directory, but I won't care. I still use the text editor buffer, but I don't worry too much. Attackers, go ahead and pwn the machine that will be destroyed in a minute anyway. – emory Feb 15 '16 at 13:29
  • @emory Agreed. Careful of break-outs, though. ;) – Mark Buffalo Feb 15 '16 at 13:33
  • @emory I usually execute commands so that they do something to my real system though :p All in all it's the same, you have to observe the source or the outcome and then decide if you wanna run it. I'd use firejail over a VM though because VMs are slower and more annoying to setup (esp. when running an old laptop). – Steve Dodier-Lazaro Feb 15 '16 at 15:32
  • @Mark Buffalo - Although i have noticed that pasting the text with `CTRL + SHIFT + V` renders the full text. – Motivated Feb 16 '16 at 06:40
  • Actually, in bash you can get command not being recored into history file by adding a whitespace before it. – Ivan Kolmychek Feb 16 '16 at 14:21
  • @Thomas Michael's link already explained that, and I linked to his post. – Mark Buffalo Feb 16 '16 at 15:05
  • 1
    A third way to hide the malicious activity is to attack the text editor directly. Induce the victim to paste some text into a _terminal based_ text editor and embed control sequences to manipulate that editor via its scripting language to do evil deeds. Consequently, advice to check text in a text editor needs to be clear that the editor should be a GUI editor. – sh1 Apr 13 '18 at 05:43
  • @sh1 Good point. Updated. – Mark Buffalo Apr 13 '18 at 16:14
38

There is a risk. Websites can use CSS and JavaScript to hide things and then when you copy from that website, you actually copy what they want. @Gumbo provided the example: https://thejh.net/misc/website-terminal-copy-paste.

The fix: Don't copy and paste from websites you don't trust. Or visit them.

h4ckNinja
  • 3,026
  • 16
  • 24
  • 4
    That's hideous. – Mark Buffalo Feb 14 '16 at 19:53
  • 2
    Isn't it though? – h4ckNinja Feb 14 '16 at 23:08
  • Uhhh. Why? Should we encourage people to visit websites they don't trust? Is that really a good idea? – h4ckNinja Feb 15 '16 at 05:31
  • 2
    The good idea is to trust no one. We should discourage people not from exploring the 'net, but from having "I hereby trust you" attitude towards everything they read (and people's browsers from having the like attitude towards everything they open). Did I trust SE first time google pointed me to it? Hell no! Do I now? Well... – Eugene Ryabtsev Feb 15 '16 at 06:08
  • You are making this much too simplistic. But do whatever you think is the right thing. – h4ckNinja Feb 15 '16 at 06:22
  • 3
    The less horrible alternative is, don't copy and paste directly from the web site to your terminal - paste it into a text editor first and review it. I would think that's a pretty obvious remedy. – Chris Johnson Feb 15 '16 at 19:01
  • 1
    @EugeneRyabtsev [The answer should at most be "sometimes".](http://meta.stackoverflow.com/q/287238/1394393) (Pay special attention to the leave upvoted answer.) – jpmc26 Feb 16 '16 at 07:27
  • Advice that relies on the user making a trust decision about a website is going to fail far too often. How many people, for example, do you suppose trust [Stack Exchange](https://security.stackexchange.com/q/39118/27540)? – sh1 Apr 13 '18 at 05:34
20

Yes, cutting and pasting commands from untrusted web sites can be dangerous. The text you paste will always contain the text you copy, but can have more text before, in between or after that.

On the web page this is done by CSS. Just make the extra text invisible. It will still be copied.

When you paste it in a terminal, the extra text will be shown. However, if it contains a newline it will be immediately executed and the damage will be done. Also, it can contain commands to clear away the extra text.

To avoid the danger paste the text into a text editor. Look it over. And then copy it from the editor to the terminal.

Just... make sure you understand the command well enough that you know it is safe. The other danger of pasting unknown commands is that you can simply don't understand what you are doing.

Stig Hemmer
  • 2,413
  • 10
  • 14
  • 1
    Excellent pratical comment. One of my mantra to my trainees is: more important than finding web pages, is understanding what is in there. Often there are mistakes, a critical step is missing, or it does not really applies to what you need. – Rui F Ribeiro Feb 15 '16 at 08:55
  • 4
    Pasting into a text editor is a good general rule as even a well-intentioned site in a well-intentioned browser can copy a linefeed without it being obvious, and you may well want to edit the code. It may or may not protect against malice or bugs related to character encoding, depending on how clever your editor tries to be. – Chris H Feb 15 '16 at 08:55
  • (modded you both up) – Rui F Ribeiro Feb 15 '16 at 08:55
  • Stig, I disagree with the notion that "the text you paste will always contain the text you copy". – Deer Hunter Feb 15 '16 at 09:29
  • You don't need an actual text editor. If you don't trust what you're pasting, just run `cat`, so your paste goes into its stdin. Or `cat > /dev/null` if it's something that will cause too much clutter when `cat` writes it out again. This could possibly still be dangerous if the paste contains an embedded ctrl-D or ctrl-C. It's unlikely that anything that would exit `cat` can do something useful if pasted directly into a shell. Hmm, maybe start out with `cat\n`, which does nothing if already in `cat`... So this isn't totally safe, but better than something that's too much work to do. – Peter Cordes Feb 15 '16 at 20:53
17

Besides the excellent answers above, I would add that besides malicious purposes, there are also issues copying&pasting from websites or PDFs due to character encoding.

You may be thinking you are pasting a group of characters, and due to character encoding, be pasting a different things, and having issues difficult to track down.

syslog fails to start

From the thread, the OP thought he had pasted:

file("/var/log/cisco/cisco.log");

But in reality he pasted something like this:

file(▒~@~\/var/log/cisco/cisco.log▒~@~]); 
Rui F Ribeiro
  • 1,736
  • 9
  • 15