Root Causes 200: Why Not to Copy and Paste Commands from Web Pages

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  You noticed this article and sent it over to me, and we’re going to talk about it. This is a January 3, 2022 article. I got it out of BleepingComputer. The headline is “Don’t Copy Paste Commands From Web Pages.” You can get hacked. The gist of it, I’m going to try to do it justice, and you can correct me if I get it wrong, is that a white hat researcher Gabriel Friedlander has published a demo basically illustrating the idea that if I go to a web page and I copy what I think is a line of text, the actual text that I might copy and then paste could be different and could be for instance used in an attack.

• 

  Jason Soroko

  I would say the people who are most vulnerable to this attack, Tim, would be developers. I remember being a developer, all my developer friends, we all do this. We search code snippets, and we find the code snippet, and we copy the code snippet from a website, and then we paste i to presumably sometimes right into a command line, or it could be into our code, and my goodness, be careful.

• 

  Tim Callan

  You copy and paste it because you want to be careful. Because if you have to sit and try to recreate it with your fingers, then there’s an opportunity to make mistakes. If you copy and paste it, then you're getting it character for character, exactly the way it should be.

• 

  Jason Soroko

  In fact, Tim, for developers, developers know this, but most websites that are dedicated to developers in fact have very, very specific formatting on the website so that a piece of text that’s explaining the code will be in a certain format, a very legible format, and then, typically the code itself will be in some sort of encoded formatting so that it’s easy to copy and paste. That’s very common in the modern era, and the countless amounts of code that I’ve copied and pasted, it amazes me that I haven’t thought of this, but when I saw the article, it prompted me to want to talk about this on this podcast because we got a lot of technical people, a lot of people who do administration of PKI and whatnot. I mean, anything and everything. That’s sometimes not just you as a developer but you as an operational person and IT administrator, etc. It’s quite common to copy and paste from a website.

• 

  Jason Soroko

  What’s happening, Tim, is underneath the actual piece of text that you’re copying, there’s some JavaScript which is hiding the actual text that you are copying so that when you then paste basically you think you're copying one command, when in fact you’re pasting another command, and what’s worse is quite often if that bad guy wants you to execute that command immediately, especially into a command line, there’s a character turn at the end. In other words, as soon as you hit paste, it’s essentially an executed command, if you are pasting that directly into a command line.

• 

  Tim Callan

  Which one would guess would be the primary attack scenario here.

• 

  Jason Soroko

  It definitely would lead to the worst-case scenarios. That’s absolutely right.

• 

  Tim Callan

  I mean, when you start to say, well, you see this JavaScript down here that’s hiding this, this is deliberate bad-guy behavior. This is not the kind of thing that could occur on accident. This is an attack.

• 

  Jason Soroko

  Absolutely. But think about this, Tim, and our company, Sectigo, with a SiteLock product, one thing that we look for is defacements, and malicious code put on your website. Think about this. You might be, you might have a fantastic blog, where you offer up code snippets, and you’re perfectly legit, and you’re very handy, and people like your site. Well, what happens if a bad guy has compromised your site, and as a form of defacement unbeknownst to you, that code which looks perfectly legit on the website, has now had an injected JavaScript underneath it.

• 

  Tim Callan

  In that scenario, the person responsible for the content may not even detect it. I go to a site, I read it, and everything looks exactly like it’s supposed to.

• 

  Jason Soroko

  Exactly. And it’s not like there’s some sort of checksum for code snippets. It’s not like for large binaries where we doublecheck against, hey, is every i and t, crossed and dotted, here. Typically, code snippets that are just copied and pasted, I don’t know anybody who does anything more than a cursory look and going, yeah, that looks legit, copy, paste.

  I guess the way around this is before you paste into a command line, paste into your favorite text editor of choice and just have a good look at what it is you actually pasted. I think that that’s good hygiene and a best practice now going forward.

• 

  Tim Callan

  You’d think that that would knock out, I mean, the real bad commands. Maybe there’s something subtle like I give you some, I turn your good code into broken code by omitting a character somewhere, but that’s not going to result in an attack. That’s just going to result in a bad compile, so.

• 

  Jason Soroko

  The example used on the Proof of Concept was clever in that it actually resulted in a remote code execution. In other words, what was really happening here was there was a payload being downloaded from a malicious site, and then executed as a Shell script which is the nightmare scenario. So, it doesn’t have to be just a single line of code, it actually, the command would be downloading an entire Shell script and executing it within your current session. That is the nightmare scenario, and that was shown in the Proof of Concept and so, as soon as I saw that, I have to admit - I mean, I’ve been around security a long time - this is not an attack vector I had thought of, but now that I’ve seen it, I am no longer ever going to copy and paste directly from a website into a command line.

• 

  Tim Callan

  Alright. Well, that’s good advice. Gabriel Friedlander, nicely done on getting the word out on this. Jason, nicely done on noticing this and further spreading the word. Listeners, it’s good advice. You should think about that. Thank you, Jason.