On Fri, Sep 28, 2018 at 04:54:03AM -0700, Marcus Linsner wrote:
> ie. you think you've copied what you see, but you copied so much more sneaky 
> text that can takeover your system.
> 
> On this page[1] there's the text "ls -lat" which if you copy then paste in 
> your terminal, you're actually pasting this whole thing instead:
> 
> ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo 
> -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 
> 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### 
> (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo 
> -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking 
> ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking 
> ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; 
> echo 'Use GUI interface using visual basic to track my IP'
> ls -lat 
> 
> I guess one mitigation would be setting a sudo password, even in VMs?. 
> Qubes has no password for sudo by default.
> 
> What else can be done? Thoughts?
> 
> If using uMatrix, uBlock Origin and NoScript, all with blocking all by 
> default, the page only requires allowing (2 pieces of) CSS from 
> www.blogger.com for this to be completely hidden: ie. you think you copied 
> "ls -lat", but assuming you don't Ctrl+Shift+C it too AND look at the size of 
> the copied text in the notification(575 bytes instead of 7), you won't notice 
> anything abnormal, until pasted in the terminal.
> 
> If not allowing even the CSS, then there's something visible on the left when 
> "ls -lat" is selected(actually when the space in-between is selected) which 
> gives it away. I attached the 3 pictures for this case.
> 
> (Not attaching screenshot for when allowing (only) CSS from www.blogger.com 
> because it's obvious that it looks normal and you can't see the hidden text.)
> 
> [1] 
> https://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html

I am never in favour of copying and pasting commands in to a terminal.
The best "mitigation" is not to do it.

An alternative would be to copy the text, paste it in to a plain text
editor, inspect what's there and then copy that.

-- 
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/20180928120654.6zyqf2o27xwbbxc7%40thirdeyesecurity.org.
For more options, visit https://groups.google.com/d/optout.

Reply via email to