Attack on Linux users or how to build a botnet by admins
For the purity of the experiment, I propose to follow the link and follow the specified instruction “installation of useful packages”. Instructions for Ubuntu owners.
The link is just a "demonstration" of this type of attack, but in any case, these actions are best done at the virtualground .
Below is a description of what happened in the event that you are not too lazy to perform the above actions.
A small preface: it often happens that when working with manuals for setting up a server, it is too lazy to enter all the commands manually, especially long ones. Also, most console applications ignore the insertion of a line feed and simply execute the code instantly.
What if, when copying the code on the page, to substitute it in such a way that, when inserted into the console, the necessary commands are automatically executed, and the only nuance is how to hide the bad code from the user's eyes.
')
As a result, the following thought came:
1. We ask the user to increase the privileges to the root, which seems to be quite logical, given the further installation of packages.
2. We write a long command, thereby forcing the user to copy (just copy and not enter the code by hand).
3. When copying - the clipboard is replaced by a bunch of commands needed for the attack. Namely:
Parsing the first line:
1. Turn off the history of entered commands
2. The actual creation and execution of malicious code
3. Cleaning the console screen (you can and clear)
4. Turn back the story
The second line is a record in the history of the command entered earlier.
And the actual payload code.
As a result (depending on the console used), if you paste the copied code directly into the console, unwanted commands will be executed that will not appear in the history and on the screen.
If everything went as it should - at the address /tmp/test.sh there will be a “malware”, which was successfully executed at the time of inserting the code into the console.
In general, use terminals that warn you about inserting code with line breaks and do not mindlessly insert code from unverified sources. For Windows, there is ConEmu, which warns about the insertion of such code.
PS The above example is just my guess about a possible problem. In practice, this is not encountered.
The article was written only to warn users about this, quite possible vector of attack.
UPD. Thanks to ValdikSS for the tip thejh.net/misc/website-terminal-copy-paste . Updated example.
I would also like to hear the opinions of users, how much is the real threat in practice. And did you notice the execution of the code after inserting the copied command into the console.
The link is just a "demonstration" of this type of attack, but in any case, these actions are best done at the virtual
Below is a description of what happened in the event that you are not too lazy to perform the above actions.
A small preface: it often happens that when working with manuals for setting up a server, it is too lazy to enter all the commands manually, especially long ones. Also, most console applications ignore the insertion of a line feed and simply execute the code instantly.
What if, when copying the code on the page, to substitute it in such a way that, when inserted into the console, the necessary commands are automatically executed, and the only nuance is how to hide the bad code from the user's eyes.
')
As a result, the following thought came:
1. We ask the user to increase the privileges to the root, which seems to be quite logical, given the further installation of packages.
2. We write a long command, thereby forcing the user to copy (just copy and not enter the code by hand).
3. When copying - the clipboard is replaced by a bunch of commands needed for the attack. Namely:
set +o history && echo 'echo you hacked!' > /tmp/test.sh && chmod +x /tmp/test.sh && /tmp/test.sh && printf "\033c" && set -o history sudo su apt-get update && apt-get install mc && apt-get install vim && apt-get install htop && apt-get install man Parsing the first line:
1. Turn off the history of entered commands
set +o history 2. The actual creation and execution of malicious code
echo 'echo you hacked!' > /tmp/test.sh && chmod +x /tmp/test.sh && /tmp/test.sh 3. Cleaning the console screen (you can and clear)
printf "\033c" 4. Turn back the story
set -o history The second line is a record in the history of the command entered earlier.
And the actual payload code.
As a result (depending on the console used), if you paste the copied code directly into the console, unwanted commands will be executed that will not appear in the history and on the screen.
If everything went as it should - at the address /tmp/test.sh there will be a “malware”, which was successfully executed at the time of inserting the code into the console.
In general, use terminals that warn you about inserting code with line breaks and do not mindlessly insert code from unverified sources. For Windows, there is ConEmu, which warns about the insertion of such code.
PS The above example is just my guess about a possible problem. In practice, this is not encountered.
The article was written only to warn users about this, quite possible vector of attack.
UPD. Thanks to ValdikSS for the tip thejh.net/misc/website-terminal-copy-paste . Updated example.
I would also like to hear the opinions of users, how much is the real threat in practice. And did you notice the execution of the code after inserting the copied command into the console.
Source: https://habr.com/ru/post/275075/
All Articles