How to mitigate against copying of CSS-hidden text then pasting it into a terminal ?

39 views
Skip to first unread message

Marcus Linsner

unread,
Sep 28, 2018, 7:54:03 AM9/28/18
to qubes-users
ie. you think you've copied what you see, but you copied so much more sneaky text that can takeover your system.

On this page[1] there's the text "ls -lat" which if you copy then paste in your terminal, you're actually pasting this whole thing instead:

ls ; clear; echo 'Haha! You gave me access to your computer with sudo!'; echo -ne 'h4cking ## (10%)\r'; sleep 0.3; echo -ne 'h4cking ### (20%)\r'; sleep 0.3; echo -ne 'h4cking ##### (33%)\r'; sleep 0.3; echo -ne 'h4cking ####### (40%)\r'; sleep 0.3; echo -ne 'h4cking ########## (50%)\r'; sleep 0.3; echo -ne 'h4cking ############# (66%)\r'; sleep 0.3; echo -ne 'h4cking ##################### (99%)\r'; sleep 0.3; echo -ne 'h4cking ####################### (100%)\r'; echo -ne '\n'; echo 'Hacking complete.'; echo 'Use GUI interface using visual basic to track my IP'
ls -lat

I guess one mitigation would be setting a sudo password, even in VMs?.
Qubes has no password for sudo by default.

What else can be done? Thoughts?

If using uMatrix, uBlock Origin and NoScript, all with blocking all by default, the page only requires allowing (2 pieces of) CSS from www.blogger.com for this to be completely hidden: ie. you think you copied "ls -lat", but assuming you don't Ctrl+Shift+C it too AND look at the size of the copied text in the notification(575 bytes instead of 7), you won't notice anything abnormal, until pasted in the terminal.

If not allowing even the CSS, then there's something visible on the left when "ls -lat" is selected(actually when the space in-between is selected) which gives it away. I attached the 3 pictures for this case.

(Not attaching screenshot for when allowing (only) CSS from www.blogger.com because it's obvious that it looks normal and you can't see the hidden text.)

[1] https://lifepluslinux.blogspot.com/2017/01/look-before-you-paste-from-website-to.html

01_Screenshot_2018-09-28_13-41-59.png
02_Screenshot_2018-09-28_13-42-16.png
03_Screenshot_2018-09-28_13-42-24.png

unman

unread,
Sep 28, 2018, 8:06:57 AM9/28/18
to qubes-users
I am never in favour of copying and pasting commands in to a terminal.
The best "mitigation" is not to do it.

An alternative would be to copy the text, paste it in to a plain text
editor, inspect what's there and then copy that.

Yethal

unread,
Sep 29, 2018, 11:42:19 PM9/29/18
to qubes-users
Well, one mitigation (albeit rather annoying one) would be to type the visible command manually instead of copying and pasting it into the terminal

haaber

unread,
Sep 30, 2018, 2:48:13 AM9/30/18
to qubes...@googlegroups.com
If you use the "qubes hardening" ideas develloped by Chris (here on the
list), you should still be reasonably protected, even when you are
"caught" like this. See
https://github.com/tasket/Qubes-VM-hardening/issues/2 Additionally, to
my point of view  you should use a "browser-VM" that is used for nothing
else than (unsafe) browsing, separated from an online-banking-vm with
limited internet acces (via firewall rules). etc.  Bernhard
Reply all
Reply to author
Forward
0 new messages