Given the content of this Blog, and the type of information someone on it would be looking for, I figured I would cover one lesser known vulnerability that SysAdmins often open themselves up to without thinking. This is not a high tech attack vector, but it is an easy one. This attack can occur if you copy/paste commands from a website directly into terminal. I will first show you an example of what happens, then explain how it is happening and how to protect yourself.
For simplicity and transparency, we’ll use a command that everyone on this site should understand. Below we are just going to issue the command to change directory to our current user’s desktop. Obviously, you would not need to copy this command in real life, but for now pretend it is something longer and more complex that you would not want to type out by hand. So, please copy the code below and paste it into terminal – I promise it does nothing bad.
clear;echo -n 'Hello ';whoami|tr -d '\n';echo '!';echo 'I tried to warn you...';osascript -e 'set volume 4';say -v Trinoids 'This Mac will now self-destruct'
As you could see, simply by pasting this command into terminal it was able to run unexpected code with your user permissions. For those that don’t fully understand how this can be exploited, try the same this with the following code (again, I promise it does nothing harmful):
clear;touch created_file;curl -O https://www.yalpski.net/downloaded_file.txt;open downloaded_file.txt;clear
This example created a file on your desktop, as well as downloading one there. They are called “created_file” and “downloaded_file.txt”. You may now safely remove them.
So, how does this work? As I mentioned it is actually rather unsophisticated. All that is happening is in the middle of the command there is a span field with the malicious code inside. This field is set to display at -100 x -100 pixels – meaning it is hidden from view. So despite being rendered off the screen, when you highlight and copy the command, you also copy the malicious code. This code includes a line break, which causes it to run immediately upon pasting. It is possible to cause this to be nearly undetectable to someone who is not paying close attention by redirecting the standard output of any commands run, as well as adding a clear command at the end, then ending the malicious code with the originally copied bit of text (as you can see in both examples).
Now how do you protect yourself from this sort of thing? Well, it is very simple – just paste the commands you intend to use into a text editor before you paste them in to terminal. If you try that with these examples, you will clearly see exactly what is happening. Obviously you do not necessarily have to do this for every site (for example, this is the only time this will be included on this one), but for any site you don’t fully trust, I would do it as a precaution.