CTRL-V vector turns “not evil” into “evil” without the target noticing
At first glance, it looks like purely a stunt-attack, except for this: a phishing e-mail purporting to be from tech support could trick a victim into dropping a message into a terminal window and executing it – not realising that what’s in the clipboard got changed on the way.
In the simple proof-of-concept of “Pastjacking” here, you think you’re copying the command echo “not evil” into the terminal, but what lands in the clipboard is echo “evil”\n.
The newline appended to what lands in the clipboard means the user doesn’t get the chance to review what appears on the terminal command line: as soon as they paste from the clipboard to the terminal, it executes.
Dylan Ayrey, who published the exploit at GitHub, explains: “If a user attempts to copy the text with keyboard shortcuts, i.e. ctrl+c or command+c, an 800ms timer gets set that will override the user’s clipboard with malicious code”.
Another example he gives is:
touch ~/.evilclearecho “not evil”
“This command will create an evil file in your home directory and clear the terminal out.
The victim appears to have the command they intended to copy, nicely pasted into the terminal”, he writes.
Sponsored: Rise of the machines